{
	"id": "6470acf7-d94f-40b6-9a14-f8d860147eaf",
	"created_at": "2026-04-06T00:11:48.507886Z",
	"updated_at": "2026-04-10T13:11:45.389194Z",
	"deleted_at": null,
	"sha1_hash": "8233f39937242764a771fdaebab6349e28b7468e",
	"title": "MAGIC KITTEN – The Oldest Kitten – ICNA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 137770,
	"plain_text": "MAGIC KITTEN – The Oldest Kitten – ICNA\r\nBy ICNA\r\nPublished: 2022-04-17 · Archived: 2026-04-05 13:51:09 UTC\r\nIn January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber\r\nespionage conducted by American intelligence agencies. One of them revealed an NSA tactic labeled “fourth party\r\ncollection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring\r\nintelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic\r\nKitten.\r\nMagic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct\r\nfrom other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the\r\nIRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians\r\ninside Iran and  regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to\r\n2007, well before other known malware apparently originated, and the threat actor continues to be active.\r\nMagic Kitten appears to exercise the most mature tradecraft of Iran-based threat actors. It has opportunistically\r\ncompromised dozens of websites at random (including those of an Indian hospital, an Italian architect, and a well-https://irancybernews.org/magic-kitten-the-oldest-kitten/\r\nPage 1 of 2\n\nknown Canadian comedian) to create a relay network to hide its operations. Such attention to tradecraft appears\r\nelsewhere in Magic Kitten’s operations, including in the design of malware, which is modular in nature.\r\nMagic Kitten has not been observed using sophisticated exploits and instead appears to rely on social engineering\r\nand other common tactics to deceive users. In the case of the journalist Vahid Pour Ostad, the malware was sent by\r\nhis former Ministry of Intelligence interrogator with a threat attached and relied on private records that would\r\nhave been available only to government actors. This coordination represents both independent confirmation of the\r\nNSA’s attribution and an extreme example of the strategies employed by Magic Kitten. Other samples of the\r\nmalware agent appear to have been delivered posing as Turkish asylum forums for Syrian refugees.\r\nThe NSA presentation also provides a window on Magic Kitten’s targets up to May 2011, portraying an operation\r\nfocused on North America, Europe, and the Middle East. These campaigns continued through the June 2013\r\npresidential election of Hassan Rouhani, provoking a blogpost from Google about related attacks.51 As the\r\nelection approached, exposed logs showed the daily capture of dozens of accounts connected to Iranian cultural\r\nand media figures, graduate students, and social activists (including individuals that would later join the Rouhani\r\nadministration). Magic Kitten continued to target Iranians after the election, attempting to unmask pseudonymous\r\ninternet users by baiting them with content on women’s rights and the security establishment.\r\nLike other Iranian operations, Magic Kitten maintains a strong secondary interest in conducting espionage against\r\nregional targets and international foreign policy institutions. CrowdStrike, another American cybersecurity\r\ncompany, accounts for part of this focus on “international corporations, mainly in the technology sector” and other\r\npolitical targets. An NSA slide with a victim map portrays a broad-reaching operation targeting nearly every\r\ncountry in the Middle East. Sinkhole data collected from expired domains previously used as relays and other\r\nfallback infrastructure suggest that Magic Kitten, or the malware agent used, continues to actively compromise\r\nindividuals in Germany, Indonesia, Iraq, Lebanon, the Netherlands, Palestine, Pakistan, Qatar, Sweden,\r\nSwitzerland, Thailand, and the United Arab Emirates. Notably, compromised individuals in Iraq were also\r\ntypically in Iraqi Kurdistan, mirroring a common pattern with other threat actors.\r\nA diagram within the NSA presentation suggests that the malware agent employed by Magic Kitten was also used\r\nat the time by  Hezbollah, under independent infrastructure. While Hezbollah has been known to maintain its own\r\noffensive cyber operations and engage in intelligence sharing with Iran, there has been little prior evidence of\r\ndirect sharing of tools.\r\nFor more on APT read our Hacker series\r\nSource: https://irancybernews.org/magic-kitten-the-oldest-kitten/\r\nhttps://irancybernews.org/magic-kitten-the-oldest-kitten/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://irancybernews.org/magic-kitten-the-oldest-kitten/"
	],
	"report_names": [
		"magic-kitten-the-oldest-kitten"
	],
	"threat_actors": [
		{
			"id": "e575ba5a-702c-4a64-9bda-c4b1061210e5",
			"created_at": "2022-10-25T16:07:23.245788Z",
			"updated_at": "2026-04-10T02:00:04.763889Z",
			"deleted_at": null,
			"main_name": "Magic Kitten",
			"aliases": [],
			"source_name": "ETDA:Magic Kitten",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "efeeab6a-219e-4a45-9b2f-9f77c647ffd2",
			"created_at": "2023-01-06T13:46:38.370366Z",
			"updated_at": "2026-04-10T02:00:02.946455Z",
			"deleted_at": null,
			"main_name": "Magic Kitten",
			"aliases": [
				"Group 42"
			],
			"source_name": "MISPGALAXY:Magic Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434308,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8233f39937242764a771fdaebab6349e28b7468e.pdf",
		"text": "https://archive.orkl.eu/8233f39937242764a771fdaebab6349e28b7468e.txt",
		"img": "https://archive.orkl.eu/8233f39937242764a771fdaebab6349e28b7468e.jpg"
	}
}