{ "id": "15ca90f6-270d-434f-a130-e2853f951ebd", "created_at": "2026-04-06T00:07:03.780011Z", "updated_at": "2026-04-10T03:28:47.441961Z", "deleted_at": null, "sha1_hash": "50ce65e8f8d4aedb8aed35dccbcfa0544040b264", "title": "Rampant Kitten - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53962, "plain_text": "Rampant Kitten - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 15:50:16 UTC\nHome \u003e List all groups \u003e Rampant Kitten\n APT group: Rampant Kitten\nNames Rampant Kitten (Check Point)\nCountry Iran\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(Check Point) Check Point Research unraveled an ongoing surveillance operation by Iranian\nentities that has been targeting Iranian expats and dissidents for years. While some individual\nsightings of this attack were previously reported by other researchers and journalists, our\ninvestigation allowed us to connect the different campaigns and attribute them to the same\nattackers.\nAmong the different attack vectors we found were:\n• Four variants of Windows infostealers intended to steal the victim’s personal documents as\nwell as access to their Telegram Desktop and KeePass account information\n• Android backdoor that extracts two-factor authentication codes from SMS messages, records\nthe phone’s voice surroundings and more\n• Telegram phishing pages, distributed using fake Telegram service accounts\nThe above tools and methods appear to be mainly used against Iranian minorities, anti-regime\norganizations and resistance movements such as:\n• Association of Families of Camp Ashraf and Liberty Residents (AFALR)\n• Azerbaijan National Resistance Organization\n• Balochistan people\nObserved Countries: Iranian minorities, anti-regime organizations and resistance movements.\nTools used\nInformation Last change to this card: 19 October 2020\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=71cc4f7d-4b04-4b1b-8947-a03dc464739d\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=71cc4f7d-4b04-4b1b-8947-a03dc464739d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=71cc4f7d-4b04-4b1b-8947-a03dc464739d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=71cc4f7d-4b04-4b1b-8947-a03dc464739d" ], "report_names": [ "showcard.cgi?u=71cc4f7d-4b04-4b1b-8947-a03dc464739d" ], "threat_actors": [ { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775791727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50ce65e8f8d4aedb8aed35dccbcfa0544040b264.pdf", "text": "https://archive.orkl.eu/50ce65e8f8d4aedb8aed35dccbcfa0544040b264.txt", "img": "https://archive.orkl.eu/50ce65e8f8d4aedb8aed35dccbcfa0544040b264.jpg" } }