{ "id": "b5614a38-67ad-48a9-a9e2-fe2ff42bd170", "created_at": "2026-04-06T00:12:22.427399Z", "updated_at": "2026-04-10T03:37:36.756064Z", "deleted_at": null, "sha1_hash": "751e0e8aff2f2f4c869e8c1f03b896e9b84400cf", "title": "Clever Kitten | Threat Actor Profile | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73248, "plain_text": "Clever Kitten | Threat Actor Profile | CrowdStrike\r\nBy AdamM\r\nArchived: 2026-04-05 12:52:32 UTC\r\nOver the last several weeks, CrowdStrike has been discussing some of the dozens of adversaries that the\r\nCrowdStrike Intelligence team tracks every day. We revealed a Chinese-based adversary we crypt as Anchor\r\nPanda, a group with very specific tactics, techniques, and procedures (TTPs) and a keen interest in maritime\r\noperations and naval and aerospace technology. Last week we discussed Numbered Panda, a group that is also\r\nbased out of China and is fairly well known to the security community, though by many names. The goal in\r\ndiscussing that group was to illuminate the issues with the varied naming systems for characterizing attackers.\r\nThis week we want to make sure that we draw attention to the fact that there are adversaries active in computer\r\nnetwork exploitation besides those with a nexus to China.\r\nTargeted attackers who are not fulfilling a protracted collection requirement often go unnoticed by the\r\nlarger security community. These adversaries conduct more discreet or less-visible operations; this makes their\r\npresence and activities more difficult to catch. The adversary we are focusing on this week fits into this category,\r\nand in fact has very little to do with the objectives of the People’s Republic of China. This week we are going to\r\ndiscuss Clever Kitten, whom, by virtue of several indicators, we have affiliated with the Islamic Republic of\r\nIran. Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to\r\nIranian interests.\r\nClever Kitten actors have a strong affinity for PHP server-side attacks to make access; this is relatively unique\r\namongst targeted attackers who often favor targeting a specific individual at a specific organization using social\r\nengineering. Some attackers have moved to leveraging strategic web compromises. The reason for this is likely\r\nthe availability of exploits against web browsers, which for a variety of reasons allows an attacker to bypass\r\nsecurity features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR).\r\nThe technical details of these protections and subsequent bypasses is not the subject of this post, and there are\r\nmany great blogs and white papers available on that subject. This is not to say other adversaries do not target web\r\nservers, but that this adversary seems to favor targeting web servers.\r\nClever Kitten's Methods\r\nRECONNAISSANCE\r\nA Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance. The scanner\r\nthey favor was identified by artifacts left in web logs on victimized servers. The scanner was identified as the\r\nAcunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a\r\n14-day trial. Clever Kitten unabashedly audits publicly facing websites looking for an exploitable page.\r\nINSTALLATION\r\nhttp://www.crowdstrike.com/blog/whois-clever-kitten/\r\nPage 1 of 3\n\nOnce an exploitable page is identified, the actor will attempt to upload a PHP backdoor to gain remote access to\r\nthe system. The PHP backdoor observed in these attacks is RC SHELL v2.0.2011.1009, which is publicly\r\navailable. This adversary encrypts the backdoor and wraps it with an AES-256-bit function containing a password\r\nthat decrypts the file when the script is executed.\r\nACTIONS AND OBJECTIVES\r\nIn commodity-based attacks, the intent after the machine is compromised generally revolves around stealing data\r\nfrom a database, uploading an exploit kit to deliver drive-by attacks, or simple defacement. In Clever Kitten's\r\nattacks, the goal is lateral movement; this is an attempt to move further into the target environment in order to\r\nbegin intelligence collection. This activity is a longer tail for the actor than a spearphish; this is likely based on the\r\nClever Kitten background, which may be focused on web development/application testing.\r\nIn order to move laterally, Clever Kitten may leverage additional vulnerability scanners or reconnaissance tools,\r\nbut almost always will use a packet-sniffing utility in an attempt to capture a login credential or network-based\r\ntraffic that can be used to move deeper into the victim organization. Clever Kitten’s goal is to eventually be able to\r\nmasquerade as a legitimate user by compromising credentials either through a pass-the-hash attack, or by dumping\r\npassword hashes from a compromised host. Once these credentials are compromised, Clever Kitten will\r\nauthenticate as a legitimate user and slip into the noise of regular user authentications.\r\nUnfortunately, as we are still very much investigating Clever Kitten and their TTPs, the Intelligence Gain/Loss\r\nequation dictates that we not share too many indicators of these attacks at this time. We decided to highlight\r\nClever Kitten for two reasons. The first is that this adversary is not attributed to PRC, which we believe is\r\nimportant to occasionally highlight, as it is not the only computer espionage actor.\r\nWithout going too deep into the rabbit hole, there are several indicators pointing to an Iranian nexus, including\r\nlanguage artifacts in the tool-marks used by the attacker, as well as network activity tying this actor to a very\r\nspecific location that we have high confidence in not being spoofed. The second reason for highlighting Clever\r\nKitten is that this is a rare situation where we have the ability to provide an indicator around the reconnaissance\r\nphase of the adversaries’ activity.\r\nReconnaissance is frequently the hardest activity to identify and alert on by nature of the fact that targeted\r\nattackers may spend weeks or months reconnoitering a target, and by the time the attack is detected and responded\r\nto, that data is not available for correlation, or it is so innocuous that it is impossible to tease out of logs.\r\nThe first Snort IDS rule provided below will detect Accunetix web scans, which, while in and of themselves are\r\nNOT indicative of Clever Kitten activity, may help organizations identify web scans that may relate to a more\r\nserious problem. The second rule addresses the RC SHELL response that is sent from the victim in nearly every\r\nresponse to the attacker. The CrowdStrike Intelligence team received some great community feedback from the\r\nprevious rule releases and will continue to use this feedback to deliver quality rules that can enable actionable\r\nintelligence.\r\nalert tcp $EXTERNAL_NET any -\u003e $HTTP_SERVERS any (msg:\" - Acunetix scan\"; flow: established,\r\nfrom_client; content:\"GET /acunetix-wvs-test-for-some-inexistent-file\"; depth: 47; sid: XXX; rev: 1;\r\n)\r\nhttp://www.crowdstrike.com/blog/whois-clever-kitten/\r\nPage 2 of 3\n\nalert tcp $HTTP_SERVERS any -\u003e $EXTERNAL_NET any (msg: \" - RC Webshell Victim Enumeration Table\r\nHeader\"; content: \"SYS\u003c/td\u003e|0a|\u003ctd align=\"center\" class=\"topt\"\u003e|0a|KERNEL\u003c/td\u003e|0a|\u003ctd align=\"center\"\r\nclass=\"topt\"\u003e|0a|USER\u003c/td\u003e|0a|\u003ctd align=\"center\" class=\"topt\"\u003e|0a|DISK TOTAL/FREE\u003c/td\u003e\"; flow:\r\nestablished, from_server; sid: xxx; rev: 1;)\r\nOther Iranian-based Adversaries\r\nHelix Kitten\r\nCurious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries\r\nthat the CrowdStrike team discovers.\r\nBe sure to follow @CrowdStrike on Twitter as we continue to provide more intelligence and adversaries over the\r\ncoming weeks. If you have any questions about these signatures or want to hear more about Clever Kitten and\r\ntheir tradecraft, please contact: intelligence@crowdstrike.com and inquire about our intelligence-as-a-service\r\nsolutions.\r\nSource: http://www.crowdstrike.com/blog/whois-clever-kitten/\r\nhttp://www.crowdstrike.com/blog/whois-clever-kitten/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "http://www.crowdstrike.com/blog/whois-clever-kitten/" ], "report_names": [ "whois-clever-kitten" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "60c270f9-5aa8-41d5-850c-6003135c5815", "created_at": "2023-01-06T13:46:38.687298Z", "updated_at": "2026-04-10T02:00:03.068415Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "MISPGALAXY:Clever Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25bd25be-762c-404c-be9e-b11f074b34dd", "created_at": "2022-10-25T16:07:23.470771Z", "updated_at": "2026-04-10T02:00:04.621239Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "ETDA:Clever Kitten", "tools": [ "Acunetix Web Vulnerability Scanner", "RC SHELL" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/751e0e8aff2f2f4c869e8c1f03b896e9b84400cf.pdf", "text": "https://archive.orkl.eu/751e0e8aff2f2f4c869e8c1f03b896e9b84400cf.txt", "img": "https://archive.orkl.eu/751e0e8aff2f2f4c869e8c1f03b896e9b84400cf.jpg" } }