{
	"id": "33f44798-9894-481e-b8c1-3f851f10648b",
	"created_at": "2026-04-11T02:22:37.636276Z",
	"updated_at": "2026-04-11T02:24:15.617176Z",
	"deleted_at": null,
	"sha1_hash": "7625bf2bb6c398590bcd1c064f874f94bca56480",
	"title": "Rampant Kitten – An Iranian Espionage Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 287646,
	"plain_text": "Rampant Kitten – An Iranian Espionage Campaign\r\nBy lotemf\r\nPublished: 2020-09-18 · Archived: 2026-04-11 02:22:09 UTC\r\nIntroduction\r\nCheck Point Research unraveled an ongoing surveillance operation by Iranian entities that has been targeting\r\nIranian expats and dissidents for years. While some individual sightings of this attack were previously reported by\r\nother researchers and journalists, our investigation allowed us to connect the different campaigns and attribute\r\nthem to the same attackers.\r\nAmong the different attack vectors we found were:\r\nFour variants of Windows infostealers intended to steal the victim’s personal documents as well as access\r\nto their Telegram Desktop and KeePass account information\r\nAndroid backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s\r\nvoice surroundings and more\r\nTelegram phishing pages, distributed using fake Telegram service accounts\r\nThe above tools and methods appear to be mainly used against Iranian minorities, anti-regime\r\norganizations and resistance movements such as:\r\nAssociation of Families of Camp Ashraf and Liberty Residents (AFALR)\r\nAzerbaijan National Resistance Organization\r\nBalochistan people\r\nTable of Contents\r\nInitial Infection\r\nInfection Chain\r\nPayload Analysis\r\nTelegram Structure Basics\r\nConfiguration\r\nC\u0026C Communication\r\nPersistence\r\nInfrastructure and Connections\r\nAndroid Backdoor\r\nTelegram Phishing\r\nPayload Delivery\r\nPossible Additional Delivery Vectors\r\nAttribution\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 1 of 59\n\nAttack Origin\r\nPolitical Targeting\r\nConclusion\r\nTechnical Appendix\r\nPC Backdoor Variants Analysis\r\nTelB Variant\r\nTelAndExt Variant\r\nPython Info-stealer Variant\r\nHookInjEx  Variant\r\nAndroid Backdoor Analysis\r\nIndicators of Compromise\r\nInitial Infection\r\nWe first encountered a document with the name شورشی_کانونهای_گسرتش_از_رژیم_وحشت.docx , which roughly\r\ntranslates to The Regime Fears the Spread of the Revolutionary Cannons.docx . The title of the document was\r\nin fact referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement.\r\nMujahedin-e Khalq, or The People’s Mujahedin of Iran, is an anti-regime organization whose aim is to free Iran\r\nfrom its current leadership. In 1986, Mujahedin-e Khalq (MEK) started building their new headquarters, which\r\nlater became known as Camp Ashraf, near the Iraqi town of Khalis. However, years of political tension in Iraq\r\neventually led to the transfer of the camp’s residents to a new, remote, and unlikely destination: Albania.\r\nThe above document leverages the external template technique, allowing it to load a document template from a\r\nremote server, which in this case was afalr-sharepoint[.]com .\r\nFigure 1: Remote template\r\nCurious by this website, we set out to discover more about it. At first, we found a handful of tweets from accounts\r\nopposing the Iranian regime mentioning a very similar SharePoint site, which the website in the document was\r\nlikely impersonating:\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 2 of 59\n\nFigure 2: Tweets mentioning similar website\r\nFigure 3: AFALR’s official website\r\nInfection Chain\r\nAfter the victim opens the document and the remote template is downloaded, the malicious macro code in the\r\ntemplate executes a batch script which tries to download and execute the next stage payload from afalr-sharepoint[.]com :\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 3 of 59\n\nFigure 4: Infection chain\r\nThe payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three\r\nadditional executables from its resources:\r\nBOBC3953C59DA7870 – Loader, executed by RunDLL , injects the main payload into explorer.exe\r\nCO9D5A739B85C37C1 – Infostealer payload\r\nUpdater.exe – Modified Telegram updater\r\nPayload Analysis\r\nThe main features of the malware include:\r\nInformation Stealer\r\nUploads relevant Telegram files from victim’s computer. These files allow the attackers to make full\r\nusage of the victim’s Telegram account\r\nSteals information from KeePass application\r\nUploads any file it could find which ends with pre-defined extensions\r\nLogs clipboard data and takes desktop screenshots\r\nModule Downloader\r\nDownloads and installs several additional modules.\r\nUnique Persistence\r\nImplements a persistence mechanism based on Telegram’s internal update procedure\r\nTelegram structure basics\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 4 of 59\n\nFirst, let us review how Telegram Desktop  organizes its files. The following is an ordinary Telegram file structure\r\nwhich can normally be found at %APPDATA%\\Roaming\\Telegram Desktop .\r\nFigure 5: Telegram Desktop directory structure\r\nAs explained above, several files are dropped to the Telegram working directory during the infection chain. The\r\ndropped files are in a directory named 03A4B68E98C17164s , which looks like a file at first glance because of a\r\ncustom Desktop.ini file, but it is actually a directory.\r\nFigure 6: Infected Telegram Desktop directory\r\nConfiguration\r\nOne of payload’s resources contains encoded configuration data.\r\nThe encoding scheme uses the regular Base64 algorithm but with a custom index table:\r\neBaEFGHOQRS789TUYZdCfPbDIJ+/KLMNwxyzquv0op123VWXghijmnkl45rst6Ac .\r\nDecoding that resource gives us the following configuration:\r\nKey Value\r\nAES encryption\r\nkey\r\nssher54276@@5!!\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 5 of 59\n\nFile suffixes .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx;\r\nSOAP username 9BEF4B32-0D40-4A92-9E35-6094B8AA8B58\r\nSOAP password D5F69342-A3CC-438F-B3B6-5E7BF6B6E327\r\nMain C\u0026C\r\nhxxps://www.afalr-sharepoint[.]com/B6D9E741-DFE3-4470-9174-\r\nC95FB2B958AD/TelBService.asmx\r\nBackup C\u0026C\r\nhxxps://www.afalr-onedrive[.]com/B6D9E741-DFE3-4470-9174-\r\nC95FB2B958AD/TelBService.asmx\r\nC\u0026C Communication\r\nThe malware uses SOAP for its communication purposes. SOAP is a simple XML-based data structure for web-service communication. The API in SOAP web-services is public and can be observed by accessing the website\r\nfrom a browser:\r\nFigure 7: SOAP API in C\u0026C website\r\nThe messages (commands) can be divided into the following categories:\r\nAuthentication:\r\nHelloWorld – Authentication message\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 6 of 59\n\nModule Downloader:\r\nDownloadFileSize – Checks whether a module should be downloaded\r\nDownloadFile – Downloads a module from the remote server\r\nData Exfiltration:\r\nUploadFileExist – Checks whether a specific victim file has been uploaded\r\nUploadFile – Uploads a specific victim file\r\nAuthentication\r\nThe first message for a valid communication tunnel should be HelloWorld , which implements a simple\r\nUsername/Password authentication. The credentials are hard-coded in the sample, and the SOAP response for that\r\nmessage contains a session ID which must be used for the remainder of the session.\r\nModule Downloader\r\nThe program tries fetching updates for its current modules and also download several additional modules.\r\nSome of the additional missing modules that could not be fetched:\r\nD07C9D5A79B85C331.dll\r\nEO333A57C7C97CDF1\r\nEO3A7C3397CDF57C1\r\nData Exfiltration\r\nThe core functionality of the malware is to steal as much information as it can from the target device. The payload\r\ntargets two main applications: Telegram Desktop and KeePass, the famous password manager.\r\nOnce the relevant Telegram Desktop and KeePass files have been uploaded, the malware enumerates any relevant\r\nfile it can find on the victim’s computer which has one of the following extensions:\r\n.txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx; . For each such file, the malware then uploads it after encoding the\r\nfile to base64.\r\nPersistence\r\nThe malware uses a unique persistence method which is tied to the Telegram update procedure.\r\nPeriodically, it copies the Telegram main executable into Telegram Desktop\\tupdates , which triggers an update\r\nprocedure for the Telegram application once it starts. The hidden trick of the malware’s persistence method is\r\nchanging the default Telegram updater file – Telegram Desktop\\Updater.exe , with one of its dropped payloads\r\n(more specifically – CO79B3A985C5C7D30 ). The most notable changed feature of that updater is running the\r\npayload again:\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 7 of 59\n\nFigure 8: Telegram updater runs the main payload\r\nInfrastructure and Connections\r\nAfter analyzing the payload we were able to find multiple variants that date back to 2014, indicating that this\r\nattack has been in the making for years.\r\nMalware variants developed by the same attackers often have minor differences between them, especially if they\r\nare used around the same time frame. In this case however, we noticed that while some of the variants were used\r\nsimultaneously, they were written in different programming languages, utilized multiple communication protocols\r\nand were not always stealing the same kind of information.\r\nIn the table below, we list the variants we identified and highlight their unique characteristics. Please refer to the\r\nTechnical Appendix below, for a deep dive information regarding each variant.\r\nName Artifacts Dates\r\nMalicious\r\nActivity\r\nProperties\r\nTelB\r\nVariant\r\nKeePassOnlineCreator.exe\r\nBOBC3953C59DA7870\r\nCO9D5A739B85C37C1\r\nCO79B3A985C5C7D30\r\nD07C9D5A79B85C331.dll\r\nEO333A57C7C97CDF1\r\nEO3A7C3397CDF57C1\r\nJune 2020\r\n– July 2020\r\nTelegram-focused\r\ninfostealer\r\nSOAP. Delphi\r\n64bit payload.\r\nPersistence\r\nthrough\r\nTelegram\r\nupdater.\r\nTelAndExt\r\nVariant\r\nTelegramUpdater.exe\r\nTelegramUpdater2.exe\r\nTelegramUpdater3.exe\r\nTelegramUpdater.dll Updater.exe\r\nMay 2019\r\n– February\r\n2020\r\nTelegram-focused\r\ninfostealer\r\nFTP . Delphi\r\n32bit payload.\r\nPersistence\r\nthrough\r\nTelegram\r\nupdater.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 8 of 59\n\nPython\r\nInfo Stealer\r\nkeyboard-EN.exe\r\nspeaker-audio.exe\r\naudio-driver.exe\r\nFebruary\r\n2018 –\r\nJanuary\r\n2020\r\nFocused on – \r\nTelegram,\r\nChrome,\r\nFirefox, Edge,\r\nPaltalk NG Data\r\nExfiltration via\r\nFTP\r\nFTP. Python\r\n(Pyinstaller)\r\nHookInjEx\r\nVariant\r\nDrvUpdt.exe / ehtmlh.exe\r\nDrvUpdtd.dll / dhtmlh.dll\r\nCapDev.exe / rregg.exe uflScan.exe\r\nDecember\r\n2014 –\r\nMay 2020\r\nInfostealer\r\n(Browsers,\r\naudio,\r\nkeylogging and\r\nclipboard)\r\nFTP. C++\r\nThe related samples also revealed more C\u0026C servers, and looking up their passive DNS information and\r\nadditional metadata led us to similar domains that were operated by the same attackers. As it turns out, some of\r\nthe domains appeared in malicious Android applications and phishing pages, exposing more layers of this\r\noperation:\r\nFigure 9: Maltego graph of the malicious infrastructure\r\nAndroid Backdoor\r\nDuring our investigation we also uncovered a malicious Android application tied to the same threat actors. The\r\napplication masquerades as a service to help Persian speakers in Sweden get their driver’s license.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 9 of 59\n\nWe have located two different variants of the same application, one which appears to be compiled for testing\r\npurposes, and the other is the release version, to be deployed on a target’s device.\r\nFigure 10: Android application’s main interface\r\nThis Android backdoor contains the following features:\r\nSteal existing SMS messages\r\nForward two-factor authentication SMS messages to a phone number provided by the attacker-controlled\r\nC\u0026C server\r\nRetrieve personal information like contacts and accounts details\r\nInitiate a voice recording of the phone’s surroundings\r\nPerform Google account phishing\r\nRetrieve device information such as installed applications and running processes\r\nFor a deep dive information regarding this application, please refer to the Technical Appendix below.\r\n Telegram Phishing\r\nThe backdoors were not the only way in which the attackers tried to steal information about Telegram accounts.\r\nSome of the websites that were related to this malicious activity also hosted phishing pages impersonating\r\nTelegram:\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 10 of 59\n\nFigure 11: Telegram phishing page\r\nWhat was surprising is that several Iranian Telegram channels have actually sent out warnings against those\r\nphishing websites, and claimed that the Iranian regime is behind them.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 11 of 59\n\nFigure 12: Translated message warning against phishing attempts\r\nAccording to the channels, the phishing messages were sent by a Telegram bot. The messages warned their\r\nrecipient that they were making an improper use of Telegram’s services, and that their account will be blocked if\r\nthey do not enter the phishing link.\r\nFigure 13: Phishing message content\r\nAnother Telegram channel provided screenshots of the phishing attempt showing that the attackers set up an\r\naccount impersonating the official Telegram one. At first, the attackers sent a message about the features in a new\r\nTelegram update to appear legitimate. The phishing message was sent only five days later, and pointed to\r\nhttp://telegramreport[.]me/active (same domain as in figure 11 above).\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 12 of 59\n\nFigure 14: Phishing message sent from fake Telegram account\r\nPayload Delivery\r\nAlthough in some cases we were unable to determine how the malicious files reached the victims, we gathered\r\nsome potential clues about the ways the attackers distributed their malware. For example, accessing\r\nmailgoogle[.]info shows that it impersonates ozvdarozv[.]com and promotes a software to increase the\r\nnumber of members in Telegram channels.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 13 of 59\n\nFigure 15: mailgoogle[.]info download page\r\nBut after clicking on “Download”, a password-protected archive called Ozvdarozv-Windows.rar is downloaded,\r\ncontaining one of the malware variants.\r\nPossible Additional Delivery Vectors\r\nA removed blog entry from 2018 accused a cyber-security expert of plagiarism when he was interviewed by\r\nAlArabiya news channel to discuss Iranian cyber-attacks.\r\nWe believe this page was created as part of a targeted attack against this person or his associates.\r\nThe blog included a link to download a password-protected archive containing evidence of the plagiarism from\r\nendupload[.]com .\r\nendupload[.]com is connected to both the PC and the Android operations mentioned above via several passive\r\nDNS hops, including a direct connection via historic DNS server information to the domain mailgoogle[.]info\r\nwe described above. Not only did we not find any instance of it being used in a legitimate context, we also found\r\nevidence of the domain being registered by a Persian speaking hacker. (See “attribution” section below)\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 14 of 59\n\nFigure 16: Removed blog post with link to endupload[.]com\r\nA different blog entry from 2012 discusses a human rights violations report by HRANA, a news agency affiliated\r\nwith the Iranian Association of Human Rights Activists. Once again, this blog refers to a document that can be\r\ndownloaded from endupload[.]com :\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 15 of 59\n\nFigure 17: Blog post with link to endupload[.]com\r\nUnfortunately, we were unable to get our hands on the files both blog entries were referring to, and could not\r\nconfirm that they were indeed malicious. However, it appears that endupload[.]com has been controlled by the\r\nattackers for years, as some of the malicious samples related to this attack and dating back to 2014 communicated\r\nwith this website.\r\nAttribution\r\nAlthough we found many files and websites that were used over the years in this attack, they were not attributed to\r\na specific threat group or entity. Nevertheless, some of the fingerprints that the threat actors left in the malicious\r\nartifacts allowed us to gain a better understanding of where the attack might be coming from.\r\nAttack Origin\r\nTo begin with, the WHOIS information of some of the malicious websites revealed that they were supposedly\r\nregistered by Iranian individuals:\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 16 of 59\n\nFigure 18: WHOIS information of endupload[.]com and picfile[.]net\r\nThe WHOIS records for endupload[.]com also mentioned an e-mail address, nobody.gu3st@gmail[.]com .\r\nApparently, the website’s registrant was very active online, because looking up the username “nobody.gu3st” led\r\nus to many posts in Iranian hacking forums:\r\nFigure 19: Translated post by nobody.gu3st\r\nPolitical Targeting\r\nThe list of targets we observed reflects some of the internal struggles in Iran and the motives behind this attack.\r\nThe handpicked targets included supporters of Mujahedin-e Khalq and the Azerbaijan National Resistance\r\nOrganization, two prominent resistance movements that advocate the liberation of Iranian people and minorities\r\nwithin Iran.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 17 of 59\n\nFigure 20: Mujahedin-e Khalq and Azerbaijan National Resistance Organization logos\r\nThe conflict of ideologies between those movements and the Iranian authorities makes them a natural target for\r\nsuch an attack, as they align with the political targeting of the regime.\r\nIn addition, the backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass\r\nand Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and\r\nlearning more about their activities.\r\nConclusion\r\nFollowing the tracks of this attack revealed a large-scale operation that has largely managed to remain under the\r\nradar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating\r\nfrom Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers\r\nand mobile devices.\r\nSince most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the\r\nIslamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on\r\npotential opponents to the regiment.\r\nSandBlast Mobile provides real-time threat intelligence and visibility into mobile threats, protecting from\r\nmalware, phishing, Man-in-the-Middle attacks, OS exploits, and more.\r\nCheck Point’s anti-phishing solutions include products that address all of the attack vectors from which phishing\r\nattacks come – email, mobile, endpoint and network. \r\nTechnical Appendix\r\nPC Backdoor Variants Analysis\r\nTelB Variant\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 18 of 59\n\n“TelB” is the latest variant we encountered, and its analysis shown above. We named it as such because of the next\r\ndebug string: D:\\Aslan\\Delphi\\TelB\\BMainWork\\SynCryptoEN.pas .\r\nTelAndExt Variant\r\nThis variant is probably the older version of “TelB”, and has been active mostly during 2019 and 2020. It shares\r\nthe following properties and techniques with the newer versions:\r\nDeveloped in Delphi\r\nShares a great amount of code with the “TelB” variant\r\nFocuses on the Telegram Desktop application\r\nSimilar persistence and update methods\r\nUses FTP instead of SOAP for data exfiltration\r\nWe named this variant “TelAndExt” because of the next debug string:\r\nD:\\Aslan\\Delphi\\TelAndExt\\TelegramUpdater\\SynCryptoEN.pas\r\nPython Info-stealer Variant Analysis\r\nWe discovered several samples which use the following methods:\r\nTwo-layer SFX (self-extracted archive) which extract several .bat/.vbs/.nfs/.conf files.\r\nPersistence method by copying the executable (ends with .nfs ) to\r\n%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\audio-driver.exe\r\nExecutable name is speaker-audio.exe or keyboard-EN.exe , depending on the sample.\r\nThe executable was created with Pyinstaller.\r\nDownloads a second-stage payload under the name of net-update.exe\r\nBefore being uploaded, the data is encrypted using library pyAesCrypt with a hard-coded password.\r\nInfo stealing\r\nAccording to our analysis, the script communicates with an FTP server using hard-coded credentials, and steals\r\nthe following data:\r\nTelegram Desktop application related files.\r\nPaltalk NG application related files.\r\nChrome, Firefox and Edge related data.\r\nAny file which ends with extensions listed in a given configuration. If no configuration is given, it searches\r\nfor files with the following extensions: .txt;.docx;.doc;.exe;.jpg;.html;.zip;.pdf\r\nOperation\r\nDuring our investigation, we saw several Python info-stealers that communicate with the same FTP server, but\r\nstore the stolen information in different pages under different aliases.\r\nWe suspect this is how the malware authors operate:\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 19 of 59\n\nChoose a target, and create a designated folder in the FTP server for them.\r\nBuild a sample customized for the target, with a unique AES key and FTP credentials for information\r\nuploading.\r\nDeliver the weaponized executable via one of the infection chain vectors.\r\nSecond-stage Payload – HookInjEx\r\nOne of its core functionalities is fetching a second-stage payload. If the designated FTP folder contains a file\r\nnamed net-update.exe , then it downloads and executes it.\r\nWe analyzed few of those net-update.exe samples and found a complete overlap with the “HookInjEx” variant\r\nbelow, making it a targeted advanced payload.  \r\nHookInjEx Variant\r\nThis variant has been in use since 2014, and has 32-bit and 64-bit versions. Over time, the variant evolved and\r\nadded some features while also changed the names of the different components in its infection chain.\r\nInfection Chain\r\nWe found two main types of infection chains:\r\n1. SFX (self-extracting archive) which contains all the components. It drops all of them into a folder and then\r\nexecutes the main loader – DrvUpdt.exe ( ehtmlh.exe in older versions).\r\n2. Fake SCR file that is functioning as an executable. In order to look like a legitimate SCR file, the loader\r\ncontains a decoy – a JPEG/PPTX/DOC file as a resource ( Resource_1 ), which is loaded upon running.\r\nThe SCR file also drops other payloads as its resources, and runs the main loader with the command line:\r\ncmd.exe /C choice /C Y /N /D Y /T 3 \u0026 \"%APPDATA%\\\\Microsoft\\\\Windows\\\\Device\\\\DrvUpdt.exe\" -\r\npSDF32fsj8979_)$\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 20 of 59\n\nFigure 21: Malicious SCR opens decoy JPG resource\r\nHooking and Injection\r\nThe main loader uses the hooking and injection method called “HookInjEx”. That method maps a DLL into\r\nexplorer.exe , where it subclasses the Start button. In our case, the loaded DLL is DrvUpdtd.dll\r\n( dhtmlh.dll in older versions).\r\nIn newer versions, the malware also hooks the Start button in other languages as well. The existence of\r\ndifferent languages probably shows that it has victims from countries all around the world. The different\r\ntranslations are:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nStart - English\r\nbaşlat - Turkish\r\n開始 - Chinese\r\nSākt - Latvian\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 21 of 59\n\nArabic - ابدأ\r\nIniciar - Spanish\r\nKäynnistä - Finish\r\nHebrew - התחל\r\nスタート - Japanese\r\nŠtart - Slovakian\r\nPradėti - Lithuanian\r\nPokreni - Bosnian\r\nเริ่ม - Thai\r\nΈναρξη - Greece\r\nDémarrer - French\r\nСтарт - Bulgarian\r\nЗапустити - Ukrainian\r\n시작 - Korean\r\nStart - English başlat - Turkish 開始 - Chinese Sākt - Latvian ابدأ - Arabic Iniciar - Spanish Käynnistä - Finish\r\nהתחל - Hebrew スタート - Japanese Štart - Slovakian Pradėti - Lithuanian Pokreni - Bosnian เริ่ม - Thai Έναρξη\r\n- Greece Démarrer - French Старт - Bulgarian Запустити - Ukrainian 시작 - Korean\r\nStart - English\r\nbaşlat - Turkish\r\n開始 - Chinese\r\nSākt - Latvian\r\nArabic - ابدأ\r\nIniciar - Spanish\r\nKäynnistä - Finish\r\nHebrew - התחל\r\nスタート - Japanese\r\nŠtart - Slovakian\r\nPradėti - Lithuanian\r\nPokreni - Bosnian\r\nเริ่ม - Thai\r\nΈναρξη - Greece\r\nDémarrer - French\r\nСтарт - Bulgarian\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 22 of 59\n\nЗапустити - Ukrainian\r\n시작 - Korean\r\nConfiguration\r\nThe malware receives its configuration from a file named Devinf.asd (in older versions it was named\r\nfile2.asd ). The configuration is decrypted and written into a new file named Drvcnf.asd (in older version it\r\nnamed file3.asd ). The encryption method is:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\ndef decode(content):\r\ndec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,\r\n0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,\r\n0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,\r\n0x40, 0x41, 0x42, 0x43, 0x44]\r\noutput_str = ''\r\nknown_values = [9, 10, 13, 32]\r\nfor j in range(len(content)):\r\nint_cur_content = ord(content[j])\r\ncur_byte = 0\r\nfor i in range(62):\r\nif int_cur_content == dec_array[i]:\r\nif i \u003c 26:\r\ncur_byte = i + 0x61\r\nelif 26 \u003c= i \u003c 52:\r\ncur_byte = i + 0x27\r\nelif 52 \u003c= i \u003c 62:\r\ncur_byte = i - 0x4\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 23 of 59\n\noutput_str += (chr(cur_byte))\r\nbreak\r\nif cur_byte == 0:\r\nif int_cur_content in known_values:\r\ncur_byte = int_cur_content\r\nelif int_cur_content - 0x61 \u003c= 0xe:\r\ncur_byte = int_cur_content - 0x40\r\nelif int_cur_content - 0x70 \u003c= 0x6:\r\ncur_byte = int_cur_content - 0x36\r\nelif int_cur_content - 0x77 \u003c= 0x5:\r\ncur_byte = int_cur_content - 0x1c\r\nelif int_cur_content - 0x53 \u003c= 0x3:\r\ncur_byte = int_cur_content + 0x28\r\noutput_str += (chr(cur_byte))\r\nreturn output_str\r\ndef decode(content): dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,\r\n0x17, 0x18, 0x19, 0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a,\r\n0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c,\r\n0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44] output_str = '' known_values = [9, 10, 13, 32] for j in\r\nrange(len(content)): int_cur_content = ord(content[j]) cur_byte = 0 for i in range(62): if int_cur_content ==\r\ndec_array[i]: if i \u003c 26: cur_byte = i + 0x61 elif 26 \u003c= i \u003c 52: cur_byte = i + 0x27 elif 52 \u003c= i \u003c 62: cur_byte = i -\r\n0x4 output_str += (chr(cur_byte)) break if cur_byte == 0: if int_cur_content in known_values: cur_byte =\r\nint_cur_content elif int_cur_content - 0x61 \u003c= 0xe: cur_byte = int_cur_content - 0x40 elif int_cur_content - 0x70\r\n\u003c= 0x6: cur_byte = int_cur_content - 0x36 elif int_cur_content - 0x77 \u003c= 0x5: cur_byte = int_cur_content - 0x1c\r\nelif int_cur_content - 0x53 \u003c= 0x3: cur_byte = int_cur_content + 0x28 output_str += (chr(cur_byte)) return\r\noutput_str\r\ndef decode(content):\r\n dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17\r\n output_str = ''\r\n known_values = [9, 10, 13, 32]\r\n for j in range(len(content)):\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 24 of 59\n\nint_cur_content = ord(content[j])\r\ncur_byte = 0\r\n for i in range(62):\r\n if int_cur_content == dec_array[i]:\r\n if i \u003c 26:\r\n cur_byte = i + 0x61\r\n elif 26 \u003c= i \u003c 52:\r\n cur_byte = i + 0x27\r\n elif 52 \u003c= i \u003c 62:\r\n cur_byte = i - 0x4\r\n output_str += (chr(cur_byte))\r\n break\r\n if cur_byte == 0:\r\n if int_cur_content in known_values:\r\n cur_byte = int_cur_content\r\n elif int_cur_content - 0x61 \u003c= 0xe:\r\n cur_byte = int_cur_content - 0x40\r\n elif int_cur_content - 0x70 \u003c= 0x6:\r\n cur_byte = int_cur_content - 0x36\r\n elif int_cur_content - 0x77 \u003c= 0x5:\r\n cur_byte = int_cur_content - 0x1c\r\n elif int_cur_content - 0x53 \u003c= 0x3:\r\n cur_byte = int_cur_content + 0x28\r\n output_str += (chr(cur_byte))\r\n return output_str\r\nAfter the configuration is decrypted, the malware parses the values and puts them in global variables.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\u003cReg\u003e\u003c/Reg\u003e - Registry key for persistence\r\n\u003cPre\u003e\u003c/Pre\u003e - pre value for info files to send\r\n\u003cPas\u003e\u003c/Pas\u003e - extensions for info files to send\r\n\u003cPath_Log\u003e\u003c/Path_Log\u003e - log path direcory\r\n\u003cL_s\u003e\u003c/L_s\u003e - minimum size for file to send\r\n\u003cS_n\u003e\u003c/S_n\u003e - FTP domain\r\n\u003cF_k\u003e\u003c/F_k\u003e - FTP User value\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 25 of 59\n\n\u003cF_R\u003e\u003c/F_R\u003e - FTP Password value\r\n\u003cVer\u003e\u003c/Ver\u003e - version\r\n\u003cU_u2\u003e\u003c/U_u2\u003e - Downloads updates URL\r\n\u003cU_u1\u003e\u003c/U_u1\u003e - Downloads updates URL\r\n\u003cF_f\u003e\u003c/F_f\u003e - Directory in ftp connection.\r\n\u003cU_t\u003e\u003c/U_t\u003e - timer_1\r\n\u003cS_t\u003e\u003c/S_t\u003e - timer_2\r\n\u003cS_q\u003e\u003c/S_q\u003e - timer_3\r\n\u003cU_u3\u003e\u003c/U_u3\u003e - Downloads updates URL\r\n\u003cEl\u003e\u003c/El\u003e - value for encryption method to files\r\n\u003cEz\u003e\u003c/Ez\u003e - value for encryption method to files\r\n\u003cF_n\u003e\u003c/F_n\u003e - Fake name\r\n\u003cE_dt\u003e\u003c/E_dt\u003e\r\n\u003cE_dy\u003e\u003c/E_dy\u003e\r\n\u003cSnd_P\u003e\u003c/Snd_P\u003e - Value to choose name template for info files to send.\r\n\u003cMlt\u003e\u003c/Mlt\u003e - flag for exeucting again from different place.\r\n\u003cWs1\u003e\u003c/Ws1\u003e - WHOIS first URL\r\n\u003cWs2\u003e\u003c/Ws2\u003e - WHOIS second URL\r\n\u003cWs3\u003e\u003c/Ws3\u003e - WHOIS third URL\r\n\u003cS_li\u003e\u003c/S_li\u003e\r\n\u003cRTL\u003e\u003c/RTL\u003e\r\n\u003cSHttpR\u003e\u003c/SHttpR\u003e - value to download using computer-name and username\r\n\u003cOPP\u003e\u003c/OPP\u003e - Opera gather data flag\r\n\u003cFIP\u003e\u003c/FIP\u003e - Firefox gather data flag\r\n\u003cCHP\u003e\u003c/CHP\u003e - Chrome gather data flag\r\n\u003cWHP\u003e\u003c/WHP\u003e - WHOIS flag\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 26 of 59\n\n\u003cTRP\u003e\u003c/TRP\u003e - tracert flag\r\n\u003cFRC\u003e\u003c/FRC\u003e - number of tries\r\n\u003cClipfp\u003e\u003c/Clipfp\u003e - clipboard data flag of CF_HDROP (CLB-f.jpg)\r\n\u003cCliptp\u003e\u003c/Cliptp\u003e - clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg)\r\n\u003cClipip\u003e\u003c/Clipip\u003e - clipboard data flag of bitmap and dib (clb-p.jpg)\r\n\u003cReg\u003e\u003c/Reg\u003e - Registry key for persistence \u003cPre\u003e\u003c/Pre\u003e - pre value for info files to send \u003cPas\u003e\u003c/Pas\u003e -\r\nextensions for info files to send \u003cPath_Log\u003e\u003c/Path_Log\u003e - log path direcory \u003cL_s\u003e\u003c/L_s\u003e - minimum size for\r\nfile to send \u003cS_n\u003e\u003c/S_n\u003e - FTP domain \u003cF_k\u003e\u003c/F_k\u003e - FTP User value \u003cF_R\u003e\u003c/F_R\u003e - FTP Password value\r\n\u003cVer\u003e\u003c/Ver\u003e - version \u003cU_u2\u003e\u003c/U_u2\u003e - Downloads updates URL \u003cU_u1\u003e\u003c/U_u1\u003e - Downloads updates URL\r\n\u003cF_f\u003e\u003c/F_f\u003e - Directory in ftp connection. \u003cU_t\u003e\u003c/U_t\u003e - timer_1 \u003cS_t\u003e\u003c/S_t\u003e - timer_2 \u003cS_q\u003e\u003c/S_q\u003e -\r\ntimer_3 \u003cU_u3\u003e\u003c/U_u3\u003e - Downloads updates URL \u003cEl\u003e\u003c/El\u003e - value for encryption method to files \u003cEz\u003e\u003c/Ez\u003e\r\n- value for encryption method to files \u003cF_n\u003e\u003c/F_n\u003e - Fake name \u003cE_dt\u003e\u003c/E_dt\u003e \u003cE_dy\u003e\u003c/E_dy\u003e \u003cSnd_P\u003e\r\n\u003c/Snd_P\u003e - Value to choose name template for info files to send. \u003cMlt\u003e\u003c/Mlt\u003e - flag for exeucting again from\r\ndifferent place. \u003cWs1\u003e\u003c/Ws1\u003e - WHOIS first URL \u003cWs2\u003e\u003c/Ws2\u003e - WHOIS second URL \u003cWs3\u003e\u003c/Ws3\u003e -\r\nWHOIS third URL \u003cS_li\u003e\u003c/S_li\u003e \u003cRTL\u003e\u003c/RTL\u003e \u003cSHttpR\u003e\u003c/SHttpR\u003e - value to download using computer-name and username \u003cOPP\u003e\u003c/OPP\u003e - Opera gather data flag \u003cFIP\u003e\u003c/FIP\u003e - Firefox gather data flag \u003cCHP\u003e\r\n\u003c/CHP\u003e - Chrome gather data flag \u003cWHP\u003e\u003c/WHP\u003e - WHOIS flag \u003cTRP\u003e\u003c/TRP\u003e - tracert flag \u003cFRC\u003e\u003c/FRC\u003e -\r\nnumber of tries \u003cClipfp\u003e\u003c/Clipfp\u003e - clipboard data flag of CF_HDROP (CLB-f.jpg) \u003cCliptp\u003e\u003c/Cliptp\u003e -\r\nclipboard data flag of text, unicode, oemtext and locale (clb-t.jpg) \u003cClipip\u003e\u003c/Clipip\u003e - clipboard data flag of\r\nbitmap and dib (clb-p.jpg)\r\n\u003cReg\u003e\u003c/Reg\u003e - Registry key for persistence\r\n\u003cPre\u003e\u003c/Pre\u003e - pre value for info files to send\r\n\u003cPas\u003e\u003c/Pas\u003e - extensions for info files to send\r\n\u003cPath_Log\u003e\u003c/Path_Log\u003e - log path direcory\r\n\u003cL_s\u003e\u003c/L_s\u003e - minimum size for file to send\r\n\u003cS_n\u003e\u003c/S_n\u003e - FTP domain\r\n\u003cF_k\u003e\u003c/F_k\u003e - FTP User value\r\n\u003cF_R\u003e\u003c/F_R\u003e - FTP Password value\r\n\u003cVer\u003e\u003c/Ver\u003e - version\r\n\u003cU_u2\u003e\u003c/U_u2\u003e - Downloads updates URL\r\n\u003cU_u1\u003e\u003c/U_u1\u003e - Downloads updates URL\r\n\u003cF_f\u003e\u003c/F_f\u003e - Directory in ftp connection.\r\n\u003cU_t\u003e\u003c/U_t\u003e - timer_1\r\n\u003cS_t\u003e\u003c/S_t\u003e - timer_2\r\n\u003cS_q\u003e\u003c/S_q\u003e - timer_3\r\n\u003cU_u3\u003e\u003c/U_u3\u003e - Downloads updates URL\r\n\u003cEl\u003e\u003c/El\u003e - value for encryption method to files\r\n\u003cEz\u003e\u003c/Ez\u003e - value for encryption method to files\r\n\u003cF_n\u003e\u003c/F_n\u003e - Fake name\r\n\u003cE_dt\u003e\u003c/E_dt\u003e\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 27 of 59\n\n\u003cE_dy\u003e\u003c/E_dy\u003e\r\n\u003cSnd_P\u003e\u003c/Snd_P\u003e - Value to choose name template for info files to send.\r\n\u003cMlt\u003e\u003c/Mlt\u003e - flag for exeucting again from different place.\r\n\u003cWs1\u003e\u003c/Ws1\u003e - WHOIS first URL\r\n\u003cWs2\u003e\u003c/Ws2\u003e - WHOIS second URL\r\n\u003cWs3\u003e\u003c/Ws3\u003e - WHOIS third URL\r\n\u003cS_li\u003e\u003c/S_li\u003e\r\n\u003cRTL\u003e\u003c/RTL\u003e\r\n\u003cSHttpR\u003e\u003c/SHttpR\u003e - value to download using computer-name and username\r\n\u003cOPP\u003e\u003c/OPP\u003e - Opera gather data flag\r\n\u003cFIP\u003e\u003c/FIP\u003e - Firefox gather data flag\r\n\u003cCHP\u003e\u003c/CHP\u003e - Chrome gather data flag\r\n\u003cWHP\u003e\u003c/WHP\u003e - WHOIS flag\r\n\u003cTRP\u003e\u003c/TRP\u003e - tracert flag\r\n\u003cFRC\u003e\u003c/FRC\u003e - number of tries\r\n\u003cClipfp\u003e\u003c/Clipfp\u003e - clipboard data flag of CF_HDROP (CLB-f.jpg)\r\n\u003cCliptp\u003e\u003c/Cliptp\u003e - clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg)\r\n\u003cClipip\u003e\u003c/Clipip\u003e - clipboard data flag of bitmap and dib (clb-p.jpg)\r\nPersistence\r\nThe malware sets the registry key which is in the \u003cReg\u003e value of the configuration file (which is almost always\r\nthe key RunOnce) to the following values – it sets the name to SunJavaHtml or DevNicJava and the value is\r\nDrvUpdt.exe 11 . That way the malware knows it was already executed.\r\nIn older versions, the malware used to drop a file named either rreegg.exe or Capdev.exe , which was added to\r\nRunOnce, and in turn executed DrvUpdt.exe 11\r\nInfo stealing\r\nMain feature of the malware is stealing information from the victim’s computer and send it to the C2 using FTP.\r\nThe malware steals different types of data:\r\nOpera/Chrome/Firefox login data.\r\nFirefox information: profiles, keys and db files.\r\nThe output of tracert www.google.com\r\nWHOIS information (based on the \u003cWs1\u003e value).\r\nScreenshots and title of the foreground window.\r\nWaveform-audio recording for a minute.\r\nFiles from removable drivers. The types of files are based on the \u003ccpy\u003e tags in the file Devufl1.tmp\r\n( winufl1.tmp in older versions). In some versions, that logic was implemented in a file named\r\nuflscan.exe .\r\nInterestingly, if driver’s name is one of the following: A65RT52WE3F , 09353536557 or transcend20276 ,\r\nthe malware ends the thread. We believe it to be a debug code (Fig. X) that stayed and its purpose is to\r\nprevent the malware from gathering files from the author’s computers.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 28 of 59\n\nFiles from other drives based on the \u003ccpy\u003e tags in the file Devufl2.tmp ( winufl2.tmp in older versions\r\n).\r\nKeylogging and clipboard data from various formats – drag and drop/ CF_HDROP , CF_TEXT ,   CF_TEXT ,\r\nCF_UNICODETEXT ,  virtual key codes, CF_OEMTEXT , CF_LOCALE , CF_BITMAP and CF_DIB .\r\nCapture using webcam ( tcwin.exe in older versions).\r\nSince 2018 – Telegram Desktop data.\r\nFigure 22: Debug code with hardcoded removable drivers\r\nC2 communication\r\nThis variant uploads files to its C2 domain using the FTP protocol. The FTP domain is placed in the configuration\r\nfile inside the \u003cS_n\u003e tag.\r\nThe connection starts with authentication using the password and username from the configuration file.\r\nThe malware then creates a directory according to the \u003cF_f\u003e tag and a subdirectory inside it with the user id it\r\ngenerated before. The user id is generated from the network adapter’s info that was written into the file\r\nMcdata.dat ( PAdata.dat In older versions).\r\nAfter that, the connection continues with TYPE I and PASV commands before storing the files with the STOR\r\ncommand.\r\nThe variant also contacts other domains to update its different components. The domains are placed in the\r\nconfiguration file inside \u003cU_U1\u003e , \u003cU_U2\u003e and \u003cU_U3\u003e tags. The files are downloaded using\r\nURLDownloadToFileW from the given URLs, the user_id is included in the URLs.\r\nString Obfuscation\r\nIn newer versions (since 2018), the strings are encrypted with the following script:\r\nPlain text\r\nCopy to clipboard\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 29 of 59\n\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nbuf_1 = 'qweyuip[];lkjhgdszcm,.\u003e\u003cMNBVCXZ|ASDFGHJK:}{POIUYTREWQ123456789-=+_)(*\u0026^%$#@!'\r\nbuf_2 = '!#$%\u0026()*+,-.123456789:;\u003c=\u003e@ABCDEFGHIJKMNOPQRSTUVWXYZ[]^_cdeghijklmpqsuwyz{|}'\r\ninput_str = \"\" # The encrypted string\r\noutput_str = ''\r\nfor i in range(len(input_str)):\r\ncur_byte = input_str[i]\r\nplace = buf_2.find(cur_byte)\r\nif place == -1:\r\noutput_str += cur_byte\r\ncontinue\r\nnew_byte = buf_1[place]\r\noutput_str += new_byte\r\nprint(output_str)\r\nbuf_1 = 'qweyuip[];lkjhgdszcm,.\u003e\u003cMNBVCXZ|ASDFGHJK:}{POIUYTREWQ123456789-=+_)(*\u0026^%$#@!'\r\nbuf_2 = '!#$%\u0026()*+,-.123456789:;\u003c=\u003e@ABCDEFGHIJKMNOPQRSTUVWXYZ[]^_cdeghijklmpqsuwyz{|}'\r\ninput_str = \"\" # The encrypted string output_str = '' for i in range(len(input_str)): cur_byte = input_str[i] place =\r\nbuf_2.find(cur_byte) if place == -1: output_str += cur_byte continue new_byte = buf_1[place] output_str +=\r\nnew_byte print(output_str)\r\nbuf_1 = 'qweyuip[];lkjhgdszcm,.\u003e\u003cMNBVCXZ|ASDFGHJK:}{POIUYTREWQ123456789-=+_)(*\u0026^%$#@!'\r\nbuf_2 = '!#$%\u0026()*+,-.123456789:;\u003c=\u003e@ABCDEFGHIJKMNOPQRSTUVWXYZ[]^_cdeghijklmpqsuwyz{|}'\r\ninput_str = \"\" # The encrypted string\r\noutput_str = ''\r\nfor i in range(len(input_str)):\r\n  cur_byte = input_str[i]\r\n  place = buf_2.find(cur_byte)\r\n  if place == -1:\r\n  output_str += cur_byte\r\n  continue\r\n  new_byte = buf_1[place]\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 30 of 59\n\noutput_str += new_byte\r\nprint(output_str)\r\nAndroid Backdoor Analysis\r\nThe first activity is MainActivity , which is responsible for presenting the user with the decoy content and\r\nrequesting permissions to perform privileged activity. It also starts a background service called MainService , and\r\nlaunches the second MainActivityFake ( GmailActivity ) when the server sends a command to do so.\r\nFigure 23: User is requested to allow a set of permissions\r\nData Collection\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 31 of 59\n\nOnce the GmailActivity launches the MainService , it in turn is responsible for the following tasks: Timer\r\nregistration, configuration monitoring, showing fake notification (described below) and sensitive data collection.\r\nDuring this initial data collection process, the following information is read and prepared:\r\nInstalled applications list\r\nAccounts information\r\nSMS messages\r\nContacts information\r\nThe rest of the information is collected on demand, once a command is received from a C\u0026C server:\r\nVoice recording – A 30 seconds recording by default.\r\nGoogle credentials – The server triggers an authentication phishing attempt.\r\nGoogle Credentials Theft\r\nUpon receiving the proper command from the C\u0026C server, a Google login page will be displayed to the victim, by\r\nactivating the MainActivityFake ( GmailActivity ).\r\nFigure 24: Google login page\r\nAt this point the user is presented with a legitimate accounts.google.com login page, inside Android’s WebView.\r\nIn order to steal the typed-in credentials, Android’s JavascriptInterface is used, alongside a timer which\r\nperiodically retrieves the information from the username and password input fields.\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 32 of 59\n\nFigure 25: Periodic retrieval of Google account credentials\r\n“Google protect is enabled”\r\nAs we previously mentioned, one of its core functionalities is to turn on the microphone and record the\r\nsurroundings. In order to achieve this goal in a real-time manner, the application needs to have its service running\r\nin the background.\r\nAny Android application that wants to perform such action, is required to post an ongoing notification to the user,\r\nwhich will alert the user of the uninitiated activity on the device. In order to circumvent this issue, the malware\r\ndevelopers chose to display the user with a fake notification of “Google protect is enabled“.\r\nFigure 26: Applications displays a fake notification\r\nThe result is an always-on decoy notification masquerading as “Google protect”.\r\nFigure 27: Fake Google Protect notification\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 33 of 59\n\nC\u0026C Communication\r\nThe malware uses regular HTTP to communicate with the C\u0026C servers. It sends the initial request to\r\nalarabiye[.]net , and proceeds to communicate with gradleservice[.]info in order to get configuration,\r\ncommands and status updates.\r\nIn order to upload all the sensitive information, the malware uses FTPS with hard-coded credentials.\r\nFigure 28: FTPS connection routine\r\nIn addition, the sensitive files are encrypted using the AES algorithm, with a pre-configured passphrase before\r\nbeing uploaded to the FTP server,\r\nFigure 29: AES encryption routine\r\nTwo Factor Exfiltration by SMS\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 34 of 59\n\nOne of the unique functionalities in this malicious application is forwarding any SMS starting with the prefix G-\r\n(The prefix of Google two-factor authentication codes), to a phone number that it receives from the C\u0026C server.\r\nFurthermore, all incoming SMS messages from Telegram, and other social network apps, are also automatically\r\nsent to the attackers phone number.\r\nWork in Progress\r\nDuring our analysis, it was often obvious that this malicious application was still being actively developed, with\r\nvarious assets and functions which were either leftovers of previous operations, or not yet utilized.\r\nOne of the unused phishing assets even contains a pre-entered username, possibly a target in a previous operation\r\nconducted by the attackers.\r\nFigure 30: Unused phishing HTML assets\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 35 of 59\n\nFigure 31: Unused location tracking code\r\nIndicators of Compromise\r\nPhishing\r\ntelegramreport[.]me\r\ntelegramco[.]org\r\ntelegrambots[.]me\r\nmailgoogle.info\r\nAndroid\r\nC\u0026C servers\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 36 of 59\n\ngradleservice[.]info\r\nalarabiye[.]net\r\nFiles\r\nMD5\r\n4ae3654b7ed172b0273e7c7448b0c23c\r\nca154dfd01b578b84c0ec59af059fb62\r\nSHA-1\r\nf3a4feedd4f62702c65b037a91bd8332d9518c08\r\n735f761462443deff23dde5b76746b7ab0ceaf71\r\nSHA-256\r\n24e5b2967437dbc1866df3ac1bf776a4960a5a56676b48bb9a143e62849a43d2\r\n881ab44385541ac7cd0f3279ba4fb8519df07d529456c9e34074787ebb33f658\r\nPC variants\r\nTelB Variant\r\nC\u0026C servers\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 37 of 59\n\nafalr-sharepoint[.]com\r\nafalr-onedrive[.]com\r\nBackdoor\r\nMD5\r\n315e6338bf9c9bcbe3d5af0482f51dfd\r\nSHA-1\r\n8b00d62a5c03efa76dfca8bd8c95c969167f83ee\r\nSHA-256\r\na713a2749e9791243a89471a2603bf1f32ec11c9179771ca46fb5583b8412cb0\r\nArtifacts\r\nMD5\r\necb8c2cc5efe580d4ea8f212e39eb9b5\r\nc9a28ae2b52d13cc98cdaeaff6d72332\r\n77d9ebb41bf12a96284747cbeeeed889\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 38 of 59\n\na7675a6eee18746705c90a9290168b60\r\n01e4c30e374bd26a2e5e5cb8ef27b255\r\n5844fe7ffb3333c23d201d70c7419a6d\r\n1bd82146445e2dcb3cafacefe2e913ed\r\n975b81ecf54f67e8d091be053ae7fa99\r\nSHA-1\r\ne642c9898b8d18238ca525e74db22e6dfe431e2f\r\nee96340d3b0845fcaad0ee328c49095302cee6e9\r\n817835661f1e3be4ff13ed1762054475cc8e1223\r\nA6e1f60d5e3651d1e029293fba7da72749282ca1\r\nA778f565bbf851efe50a46476fe0e9f8b0e1c830\r\n5d09311a4b0c18572dede3bbf5620268baf39318\r\n0dc484e36b62cf4f2512e1b634dbfe60260c8447\r\na3b8eb53d595e3a272942e98eac24f3c38cfb2e4\r\nSHA-256\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 39 of 59\n\nb743c9b4968b65577d60d0f3a3c4ae6dd6beedf08a02625836d598f8600a1321\r\n409da7a4f191e37d3d3aa8f36e8c3789fc998b63241a5f05c6816e54ed7dcd3a\r\n41629c54b2f3dd68897c04a8ed10f7c78534ba67a048da75885a857f68b37624\r\nF9f4aaba897b15f8c77c46f2efb0672b044b7cb79dfd84eac4a41e2f1cee1344\r\nFdfcf1790faf4dc97ea7c5d84c76b7abbdb080ab931777a6259b09ae0166fcae\r\n233ee2ea02322d3da68217ab4b51722a4a3aa833667a45377dfd4742d5979c4c\r\n512e28afe8d32008cd8a9e95c938d2551689098ea93f75ba2a23c246248d7124\r\n4c0c33fff8d4929f7a0d742f1d251b61794b185538b8ceb4939283d1b3d73795\r\nTelAndExt Variant\r\nC\u0026C servers\r\nexemplifiable-taps.000webhostapp[.]com\r\ntelegramup[.]com\r\n148.251.97[.]102\r\nBackdoors\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 40 of 59\n\nMD5\r\n281908f5afa399f725a06df767486837\r\n5b813b679779a60947d4ed6e671394b0\r\nA763350f2a5b2fdde3216cd1ea2bec5d\r\n2e4e20bb01c9ca4ef5df2a75473c1aee\r\n0aa07a6bf12a2a87a66202e768146e49\r\n5666585faaf4fe77c8354ff76881f29b\r\nSHA-1\r\n67a328fc2362253fd7cc9163d7da6d8688d76d1f\r\nE541372d93e4e26fe75fb44eb8aa009e1fc48b38\r\n3275c02dbcb2b3467b55bb6927e2d80aeab43357\r\n107b5afd843a53715ca89dc9b180a0f761a87f90\r\nab6ccfe1c9a27c1225dbe94a85246656837ce38\r\nb7397af85faee45c3d9e0f2e7c0e1b248f064317\r\nSHA-256\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 41 of 59\n\ncec533ecd881f014efa7416867d6e3c6b4362741e97c1609860c6223935dec8d\r\n21118e91cc1537c849a382d87cb113568c5e6d6ce204e8f4592c26f74f713f79\r\nb65676321e2138affd5c38a1f2b882f19ac1ca9bf414b6f3d44e35c43c36ae78\r\n65a3dec040bddf615bd2ce8c9f08ff074442fb521ac97b869e51d35a417719e9\r\n2d161588e7314ed268144b14bf00ff02b4b875f140d5ff8ba51ed50318e4b603\r\ndc627b6419366cdf50eccfa3d1995c111b71112e5abb725b6096b9e0026af395\r\nArtifacts\r\nMD5\r\na330253626349a1f0a6f16255f05b5f7\r\na871124091acc7c865f34e9d4cc6b6ad\r\n72eb19c60056174b7d5722cabed90ef8\r\n99dab6b39475e1088a4dd33d4cad9896\r\nf6a1a831d77cc6f2a2c636f7c17fd499\r\nad33e3d934fef9ed58b1f1c8b0fa0091\r\nSHA-1\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 42 of 59\n\na208ecaa6ef313abedb3d07d168655af0de0287f\r\n1c1d7bc97c49b046c5040c9a74aa803111b8b487\r\n6a37014e9ff0df749f58c74f787608d66b039a43\r\nb1755edc051acc27c04ae9f05a07db47cb816f57\r\n86d5a8450b80627ddc900bc13d970a9917cf1586\r\n5a60267edb2021e30cbf3540226562701232e512\r\nSHA-256\r\ne9bf479de992e8a7cfff4d5d528ec85614e9ad0892feb5f588047dd78decf069\r\n4ea4671ef8678197dbc82a584832d0dd23d67b0427873ac610bb266d0678f305\r\nbaad0de1026a3a807c4e4170b9291548afa900614a1dfdc00cf4f63d1946d555\r\n1ffd162d377b84ddb91766f43c0a7a0ba92f358fa2146a33726ed1e08529a691\r\n509ab695001be527b6c32f2d200067f2d433169e86724336579e08ea44799dd6\r\nbaf779a4a3c9d901eff32a46a004bbb258551cac57d63f0a878d882d2ebbdcf3\r\nPython Variant\r\nC\u0026C servers\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 43 of 59\n\ntbackup.000webhostapp[.]com\r\nvareangold[.]de\r\ntelegrambackups[.]com\r\ntelegramdesktop[.]com\r\npicfile[.]net\r\nBackdoors\r\nMD5\r\naac5bc1f94f32a69d7dcea33f305e6fc\r\n9238f7a1ec7cbeb3dbb9370f02fde040\r\n30973d4a637354cad945ab94205b0323\r\nSHA-1\r\n16335373c2b9438002fbe3a648a0709d8c111a6b\r\na9480fa19e90e46f9fd4a3c96e5ad08c11ef3822\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 44 of 59\n\n94f9ee0dbd13014b19f42c2fa125f3f9e73b98a3\r\nSHA-256\r\n3310c0b2fd8a8d96288eb241f6948cfa0f15b39d2e6ca6687aab45dc6fccf9fc\r\n13e924700a346234eaf2376c61ef0a36c86d94847b232a4ad772e35e0b9a6e87\r\nd52a5ece34828b4201df630a7bc07449289f0c15833ee13f93f105c510a8282e\r\nArtifacts\r\nMD5\r\n67f523757199203a5e4eae3e17ab00a4\r\n2f1120f5089af58315891fd316333161\r\nb9a888a23af000c6d1c846b9d0fd853c\r\nc7041a9de03af5c2c85ec70c3e8daefb\r\nfb063ebd13296eef1fd556ebb4d843a3\r\nb44428524ea196992358148ee3eeddb0\r\nb99abe396772819815eac7728580f41e\r\n5fcefebf48018774f278f5fa83c664b3\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 45 of 59\n\ncc95e164fc390fa3b75a2c49518edbb7\r\n854418d163b0e1269970338916ff6374\r\nca1e45cd176751931c87edbf25aa4469\r\nSHA-1\r\n4807035760bd758cfe05adf81da2618914928a62\r\nba4b04a8b20cff6ba27ccf7e79f4bcc8134e1c2c\r\n6537f6ea9f0a3edb5469c7235d70571e5a46c3e1\r\n1e6a569979dd3cac95d9d1c481ebf9bb1e0b1f12\r\nff4af69cdc3c24a7f10efa23c9b1431751c1f0f0\r\n767c02bbaf80745dfb0a6438c21927beb2123962\r\nb14804d46febfe811cf5634c8059666bf5c6fc55\r\n9ae405cbb9c6e959e4f680e2a73952e89c81ab4a\r\nb110923d4ec5cf737bfff3904b1527b041ecfe58\r\n295f01317d14e1548ecdfad1342cfae844f5dd8d\r\n5b15fb002162591bab0067a5c15c7e5c1726dc24\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 46 of 59\n\nSHA-256\r\nc004fa7111c5ea0d902a7f9863b525fb26a3be086926f39246f0dbcb7804f2b5\r\n30c71764ff80f82a190fc7d2212f0b7eebde4de46327f34e3326acbfd87f268d\r\n0da88a1645f39b41e8cdfe14eaee40b8845bf92b446ddc646fddc85389b78495\r\n4ffbf798a68aa5bcc5a52efd64456483172be892125085d2c82e2f351a48342a\r\nd8395183c234836b9138d0ade196b8ab60aae6add8c84e004df049a27afe5ffa\r\nfe15c79508885b5288c5cf93708d5b40eab05877cb9b1d954ab7e814a20c7978\r\nee295bd3669ddaebcd9be020debd1853c6eb7029c8017734e44c8cdce5e15241\r\n815a89091ed15779071bbd6d7ad207a0041a199a562f105595278258880f1e03\r\n3010d9eddb0b97b7f61025d05b543f572c7900170240b56bd9568efb79799f11\r\nb5e571eb492eaee853abdf8b6202f7e543f09d8343a85f467cd4806f8e19a14f\r\ne444a49b260e815c7d2f3e309f7c7b62226d4f0658fc756ec0aed5effb5226a8\r\nHookInjEx Variant\r\nC\u0026C servers\r\ntbackup.000webhostapp[.]com\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 47 of 59\n\ndeveloperchrome[.]com\r\nfirefox-addons[.]com\r\npicfile[.]net\r\ncpuconfig[.]com\r\nupdate-help[.]com\r\nwinchecking[.]com\r\nendupload[.]com\r\n176.31.4[.]14\r\n148.251.224[.]29\r\n144.76.177[.]244\r\n137.74.153[.]98\r\nBackdoor\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 48 of 59\n\nMD5\r\nca554a866389796b65f0b5eb1576e691\r\n3bcddbfd757de15ec350f1b4c9e92926\r\n74c3049ae9229675ccce544f0491e2f9\r\na05b6a10d7643a2ef059d7e296cb87a6\r\nc887fc425351a824a143a015d51ad0a7\r\n1d6a516c77aaf1bbab1ac4051f86475c\r\nf9b9b9e2c87f9f4b5fbb89e5a1ac05eb\r\n48873bf5f51ed996b237ce3495bf6219\r\nf4e7111f9a5cd4451d422bc009844ec5\r\nSHA-1\r\n7ba64923c79cb2742393ff1ad9cb9fd3f6660024\r\nb136739bf5c161684433a94a80ccaa9db029bac8\r\n142f7bd57d3623fd44f5d7406bc9dc8b0fba0bd8\r\n8a7f8d1dcbb9c5d4766f49e41ad17c00776bdb50\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 49 of 59\n\n4e4a8dce1192769ac447ffc41a39df543420e1dd\r\n96af18c2f4afbcde3854a53c1a3bbb964296b241\r\n31922929229c7b49c626ecdaf2e3927683fbe0cc\r\neea85b2b8fbb5724f58424c1878ac10fd343a155\r\nabb636cbab0bc591ba94203f41635fff009304b6\r\nSHA-256\r\n55c5a17976d253c7c4df1b59973c610336c5482d2063d511d54d512fe04ca\r\na4fcc308e9a364d29057cc76dbe6a8c32ce24a1dbae5c0b6306471f61cbefb29\r\n79baf679e84b02a660e03602ff7aa4c9c86a92e0885b1a298c672db842be258d\r\n58018aac8beb89271ef88d0fd4ada64079e1af09fad441e7b39a2463f95602f4\r\n3cedd91bb4c7a5874a3ad286addb0860c33931ceb09d2c18385b7d6cab6953e0\r\na60f5b41251d0bf126fc3c2b836de7d59aa608fd6d37726d71960dd408575512\r\n5a8f53f7c65af0cb3f269f8653405cd7bd98fae5c256e6264e5ebc5f75ea6c08\r\n08b61faed24b35224a505dd9cbf39cd59776627de7991161d376134a854c3227\r\n3ff1864e5fe1ebcce0a60c9594c9ac9f2eedd94367680dc3d77ca39a0b0e3d06\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 50 of 59\n\nArtifacts\r\nMD5\r\ncf4ed89d96dab84a455a4f52400388cd\r\n16706dff8db6fcc1fbd6f80cfb2baeb1\r\nd26a8b8d1c6f77dd9ecc02e0edeecbaa\r\n092b436347f80cffd74f4caffa75f4d5\r\n663f9b47a983c2ebe9f70df74956dcc9\r\n3ef7daf8cbce7a9aa68ee5c0baef8b28\r\nf78855f488ce965a6a4c60820df2e696\r\n62d8c20b64281b0d934358bf8d0fd2cf\r\n80c9fc38e7f6d96a09feaa99b7777e7d\r\n6f5a36fb82de3aecd847978846be312e\r\n1ac4f4f7c5217adb16d83f902e51624a\r\n661dee790ea438b14553e622052909a5\r\na68fcf5b97265d97c6bc5613ae82c093\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 51 of 59\n\ndd07291265098edef72d39b11c8a1e37\r\n87866ae8936ec3fc04af3e0783ec36bf\r\ndb4c95ea37fed6403546eadd9e691a1e\r\nccb6f24ff38770ab2efeb8f51de2a123\r\ne7c0e92855a1b7d9b81eeb06cce5ce60\r\n326843b42fca324e9fd023058a6c6b7a\r\n68b84d8057f6e6def9e191ed218da0ee\r\n87878f5404083c4c0ebf7a78e386a487\r\nf1598a2901388dc5244931226d300633\r\n2d64174dc0bed8222eea4494a49744a5\r\n20691b32c1839cb1e106f937dd101e4d\r\n86320eb8adb48106b899e21be5d5387d\r\ne20f58c1afb7d9262e5a15620b172bd4\r\ncb93aad2354aea2623a70abdd9ecc87b\r\n91be9e93c7602202963650103ff8ee50\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 52 of 59\n\ne130f1305948f0f7bd25f9d7101bd98a\r\n2c8a7d32667b7b7c410f3b3347087996\r\nf55277807457e2a3e9ad4b6de64b549f\r\n64bd09506365a0cf351a56edb2bb2bdc\r\n5c4b2cf2bed7db57b7335ec426fe776b\r\n470175c447f025f4057b4dbacb931e42\r\nf499cabf7c2ddacad965ed2a086b481b\r\n83cba14904fdbf0e21d251fc5ab00666\r\na314ff2714660be06f9eb49e6024c8c5\r\nbb186b0f3f2a1e0ef51d86d3494fd3be\r\n2e8e25f179172778f8efefac33f2dcb7\r\nb547b27751022900d9126a82d82a411f\r\na0c46b3f8370f2a2a6486d0ac686363c\r\nSHA-1\r\n7bbfb347a762da6be65484a2d721669269099af1\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 53 of 59\n\na9de74562a373fae1e02b6f290c3c4189f9f52c5\r\n4e4570200d81ab296f29dcbc56c8371484114077\r\n2c55956f5422a5fd08e11042d49e6fa478b9cc2e\r\n9d694ca2a311eafc409f128e1044162ddea5687c\r\ncb765cc4028a1c2e6930aca826567bc8253d8479\r\n4511d3627b2432e18c02271ac9ef67a373d2dc4a\r\na1c8b69ca2f6f8763e65bdb148c9f9422130fced\r\n7fae11c9f144912eef2557b21f44b112857f2bee\r\na0bffcd0d9ab5651476375b1e0edef18b81c2d90\r\nddb494f286c36c4216b3e325b8e8e4e61f1c7906\r\n8963a67f5001a3ee5459a8ebe1e8fa3059df786b\r\nc66b1ac78b55661cfbf14c330c2b9615d6c15125\r\nf42195c131e1bab859aa61f52edf37c587288eaf\r\n2747b43c07845feb832115f992c3ff08f2ac220b\r\n93b3a4d118131981fff5f65da2f8642947f2e43a\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 54 of 59\n\n87376e4522a673d5326a456dc6cc11e5c8349dbf\r\n1af2cb91b45f684d5fd30187643d9d2d51474be7\r\n8c59a117faed95777e15fefe0a2ed34d492e3205\r\nad0a4e312d21e513a3fec0bc7bf27afdde4bcde6\r\n694ddbd3d19ac153f29d52f350faccb257fec841\r\n31c85366409d5b5ae5f87da2b60f8f116b4bec99\r\nc8d2b9ff069c7e3977e988cebba273bd320abfcc\r\n2c13c0ef28485320634c235a097d62017bed36d6\r\na8548208fd950a8215e8ae0fac0d00db2592ccf0\r\n6e97334921c15cc27ccfb1e147a74d69f873ff64\r\n2d69897eccff1efe908c69c2d0af81f9fc7a57aa\r\ndbd60bf24dc0099a4b45b2610be91b5cd75be31a\r\nf5b3dc229f00e4c726a9e6e990ad4983ede0f073\r\ncc8f8ae46807c1b6b56a1877628d2140f0158b85\r\n3da61604ca8c6da190906ff122d56e1cb9836f4c\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 55 of 59\n\nb8738bbe9c35181ea4261b81b6c9fc58d8bb593d\r\ncbdf5c9ada304b73cebda7753bd14bcb5cedab2e\r\ndb88c16dc592d5b11445fa0f437016651706bfaf\r\n02fe03f6f2914551e7096b7938ff1b6d7dce17e1\r\nbbb38fa43bbb8c984cb70b155c230539f6ff6e51\r\n749a8aaf2f9f96a914e3dfff76ff9c9fa43c5bf2\r\n311a4fdb018baf924ff1301dd489b822b40f6c51\r\n22a3855c9c9c05e1789d45d40ba325d9406a1f3b\r\ne036dbf4b0e6b36526f8b4f180ac624cfdc8f756\r\nd7d58a818649eae5116ab26351993436fc1255ee\r\nSHA-256\r\n4415e6240b037f4ac693c7e4a88f5ab2567b68dddbaa8fbfb0b40d37748fa8ba\r\n2c4156bb1d1e3f0abafd5d03fad277f6aab705cb917bc07e05de3170fd80854f\r\n69cbda8c2ea92eace49d678cc660432d0ad0c44bd79c3a02dd841066f80bc51b\r\n525e99feb0a32a96aaf6e34be899e6a68c7abb6a8542f30e3822d07fe4e8d278\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 56 of 59\n\n54a20f35d302499c925e5855f782bacb6bdd0a345f57c9e80772ef29fb81f465\r\n083fe2c0feca89a6011ea2749123e216e0a53b573ebef2f25d856412cee7f99c\r\n51a9a7e764a509b979dd438719840369718a320acbba32abbf51d4926e7d3486\r\nb7730f9a05be8a0f25a3979b2f8d2fed791340a32385a9fd37d0e8b81119627d\r\n63a655fde88ea26c73cea1e1764305e44203db771f64155b3b3e3d805203f65a\r\n5eb4c94c9927e90426b6227754ae97fca06d468d5512d15773c48817ea082dbf\r\ndff78dc100c1efd116de1a1d9e0b9169380801a1e7e864d63dc81a263f8929e8\r\n845a0e5720a6288794a6452adb8d3e7c22f5e6e6b9d4f7481fbd30e3efba4f28\r\nb778ab921e7268334efdc8aa371909c4bbd0f1621e39ab9d7e37167fe448581e\r\n0e4a8eb2fe861c45071626da24147e922b167efb543e37ace7466c74c1e98be6\r\n0f7082926241659fbebd229cdc41abe358be49110a80729b9ee891f2f7dcdf16\r\n71085b661fea6cf040586b462b07ce8e0471fb9208c4f69cfd168e168beab6fe\r\n37f40214d2f150597c52cb868c1e2f723d9c2d3155ab18ab2f1279eaf09bdf71\r\nf211a92c2e215c2691006407bc919a892dd998120d83d333f2295059cd3c1c60\r\n1b8cd7c93dce63878dadae0cf77482ae367477841a4604c6a842158466790737\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 57 of 59\n\nd148562a49a09333b2b02d13e12b183d4c3fcf23fbb024d4e0b440631a3a3663\r\ne4e210aedf8120a4c765bd340bd78b4a84f7ee486314132a8364fd417f4fa128\r\n41d3378e99a410756170056e4941e86325826c45389ae18172114be535a73355\r\ne7782cedc67fe36d2fb9005c5bb165c75db9587f3de57b408acb20f6757c7f56\r\n09f953c4abfa799e2137887db5e90ddb993f76d20ce22a5ca290e43ae07074b7\r\n023151cf0fb47d758946fa85a952a2b6758fbbfb762083a01bb70c5a6d96c781\r\n2e656ea0b05ffa6cd945848176d1c9fb6174a6253b2a42891487d120358f0bec\r\n07247bb81cca445e0df110d73ea6bf7eb327cc99b614b99dfbcb5632025c99a0\r\n085a42cf3705bade9cd970f003f82158563aba06e9152e00928778bc0bd9585e\r\nb26b024fa7be56d2b2e3815d8e97434f95b30bf25cda4259d3e20c14a92bd8ec\r\nd3bb736d8a8b500c75ad853392afac37fd8cd519b274db4cba9451d2f1899059\r\n986a9bd00d5b22431ab949916828aa25542afae4875b5cee00f703424b5ffb34\r\nde339d3fe5acf83a0df5991bcce02574e1f2c4749b6d0e8f9edc563ef4f91d79\r\n0af51a0ffb5798fb90a14070809fa9909195068ad1b91c1cadf5633b521e5132\r\n75972d15f3b2e97d52b9f8a6f42ea85976ed5bb9d609c3bf93ee98d6f4f4a648\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 58 of 59\n\n35e3f08ae93a7b4cd3e77a6438e318cd3c3b41efa5def52e5ebd182347e94fd9\r\naf31cc534aa49f02e6c18a8cf3fd4c9cf366d462ee7caaf8c2a461405382073f\r\n013edd19a9e796d54b82dc34a400a0981c5e17fd65a235dd45231e7ef06ee53b\r\ne8f785efb62fbdf31a12012d38798301329e5262090991152e94342ef6dfa276\r\ne7eeb7781f521ddc5481626a2410ed8cc871809c36d8d8f74af9dd3f8c42505d\r\n9c75a6957a0294d929787b6e8217e4127b77cc2702c19ddb8e0b6319dc3b5127\r\nbfb2a7f8e7396f8edee131eca9715ab8b2fc957478b7cf0d58840a707b718e09\r\nSource: https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nhttps://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/\r\nPage 59 of 59",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/"
	],
	"report_names": [
		"rampant-kitten-an-iranian-espionage-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775874157,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7625bf2bb6c398590bcd1c064f874f94bca56480.pdf",
		"text": "https://archive.orkl.eu/7625bf2bb6c398590bcd1c064f874f94bca56480.txt",
		"img": "https://archive.orkl.eu/7625bf2bb6c398590bcd1c064f874f94bca56480.jpg"
	}
}