{ "id": "a6c7e06b-600b-4bff-afbd-333e90734791", "created_at": "2026-04-06T01:30:06.75442Z", "updated_at": "2026-04-10T03:37:55.925199Z", "deleted_at": null, "sha1_hash": "9438e386c33f672058a0037dcaa0cfffa3532533", "title": "Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 342367, "plain_text": "Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared\r\nCode\r\nArchived: 2026-04-06 00:56:47 UTC\r\nPublic Notice (5 December 2017)\r\nBackground\r\nIn our most recent post, \"iKittens: Iranian Actor Resurfaces with Malware for Mac,\" the inadvertent disclosure of\r\nmacOS Keychains from a malware test machine recalled a long dormant group through references to an alias\r\n\"mb_1986\" (a hacker named Mojtaba Borhani that we have tracked since at least April 2013). The overlap speaks\r\nto a more generalizable theme: the ecosystem of Iranian actors is chaotic and ever-changing, making\r\ndisambiguating different campaigns and groups a troublesome process. The reference to Mojtaba isn’t the only\r\ncall back to previous groups that we have come across in our time monitoring Iranian actors.\r\nOne of the first reports to systematically describe Iranian intrusion campaigns as persistent threat actors was\r\nFireEye’s \"Operation Saffron Rose,\" which documented an espionage operation targeting the defense sector\r\nthrough malware. Later labeled \"Flying Kitten,\" the group had engaged in extensive surveillance primarily\r\ntargeting domestic dissidents. Flying Kitten was prolific at spearphishing account credentials, targeting at least\r\nhundreds of individuals over more than a year, beginning at least before the June 2013 Presidential election. The\r\ntactics and infrastructure involved in these campaigns evolved over time, but kept to basic themes of fake\r\nmessages from platform providers about account security. The use of the \"Stealer\" described by FireEye was also\r\nmuch more extensive than previously documented. Days after the FireEye report was released in May 2014, the\r\ndomains and servers connected with the group were taken down or lapsed, not to be used again. While some\r\nmalware samples surfaced that summer that were potentially connected to the group, by most accounts Flying\r\nKitten ceased to exist.\r\nFive months later, in September 2014, ClearSky published a blog post ‘Gholee – a \"protective edge\" themed spear\r\nphishing campaign’ that documented a new wave of attacks originating out of Iran. As these campaigns continued,\r\nthey were attributed to a group labeled \"Rocket Kitten.\" The infrastructure and tactics within the Rocket Kitten\r\ncampaigns represent a visible break from Flying Kitten with the domains connected to Rocket Kitten largely\r\nregistered after July 2014. From the outset, the Rocket Kitten espionage campaigns were also directed against\r\nIranian activists. The lull in intrusion attempts against these communities after Flying Kitten lasted for less than\r\nthree months, until an Iranian journalist received notifications purporting to be from Google claiming that their\r\naccounts had been accessed from \"The Russia.\" Unlike its predecessor, while the publications shaped Rocket\r\nKitten’s behavior, it did not end the campaigns.\r\nThe case of mb_1986 is not the first time that researchers have see similarities in supposedly different Iranian\r\ngroups. Check Point notes in its November 2015 report \"Rocket Kitten: A Campaign With 9 Lives\" that the\r\nRocket Kitten group maintained a \"very similar mode of operation and phishing domain naming scheme\" as\r\nFlying Kitten, but noted a lack of concrete evidence to link the two. In this post, we document two recent\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 1 of 13\n\ndisclosures of attacker-developed infrastructure that draws a connection between Rocket Kitten and Flying Kitten.\r\nWhile we cannot assert that the groups are the same, we can establish that there was direct exchanges of source\r\ncode, and in all likelihood an overlap in membership.\r\nCase 1: Phishing Infrastructure\r\nThe commonalities between externally-visible components the attacks conducted by both Flying Kitten and\r\nRocket Kitten are notable. Check Point suggests the two shared a domain naming scheme, for example Drive-Google.com.co (created April 2014, connected to Flying Kitten) compared to Drive-Google.co (created July 2014,\r\nassociated with Rocket Kitten). A comparison of the content of credential theft attempts adds more suspicion\r\nabout a relationship. However, without disclosures of private operational information, these are weak indicators,\r\nand could as easily suggest that members learned from the FireEye report. Through the disclosure of the code used\r\nin Rocket Kitten spearphishing, we demonstrate that these commonalities are more than superficial – that Rocket\r\nKitten has used Flying Kitten tools for credential theft.\r\nPublications thus far have indicated that Rocket Kitten used different malware and credential theft resources than\r\nFlying Kitten. In Check Point’s report, the company documented a database-driven credential theft platform,\r\nnamed by its creator as the \"Oyun Management System.\" Through gaining access to the backend database, the\r\nresearchers were able to observe a year’s worth of phishing attempts, starting in August 2014. Screenshots from\r\nthe database show some URLs that were used in phishing, often following a schema of:\r\n http://profiles.googel.com.inc.gs/?_schema=([0-9]+)\u0026rnd=([0-9]+)\r\nThis parallels first-hand observation of attempts against Iranians journalists during September and October 2014.\r\nThe pattern also provides a possible fingerprint for Rocket Kitten attacks. However, the tactics and tools in\r\nphishing campaigns attributed to Rocket Kitten were not homogenous, even at the same time. The first post Flying\r\nKitten spearphishing attempts we have observed occurred at the start of August 2014, and a different pattern in the\r\nURLs of phishing sites is apparent:\r\n http://account-google.co/EditPassd?pli=([A-Z0-9]+)\r\n http://drive-google.co/Check?pli=([A-Z0-9]+)\r\nClearSky notes these domains in its \"Thamar Reservoir\" report, despite the different parameter schema. On face\r\nvalue, this would not entirely rule out the use of Oyun, but this creates the possibility of their being two different\r\nphishing tookits.\r\nThe August 2014 attempts have more similarities with Flying Kitten attempts than Check Point’s Rocket Kitten.\r\nThe same parameter scheme is seen in a December 2013 message that \"hackers recently want to hijack your\r\naccount,\" conducted by Flying Kitten:\r\n http://accounts.privacy-google.com/EditPassd?pli=([A-Z0-9]+)\u0026Service=mail\u0026TTL=True\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 2 of 13\n\nThere are many other tactical and stylistic differences between these \"Rocket Kitten\" attempts, including\r\nmeaningful differences in template of the fake Google notice. Whereas Rocket Kitten had registered Gmail\r\naccounts that appeared to be official (e.g. \"accourrt.noreply\" and \"team.mail.secure\"), both Flying Kitten and the\r\nAugust 2014 messages used compromised sites to relay messages spoofed to appear as Google (e.g. \"Services-Team@accounts.google.com\"). Aside from these technical properties, both of the latter sets of messages shared\r\ncommon grammatical failures, focused on common targets, and used similar social engineering strategies.\r\nDespite these differences in tools and behaviors, the seemingly distinct patterns are commonly lumped in as\r\n\"Rocket Kitten.\"\r\nTwo years later, in August 2016, Rocket Kitten exposed the scripts used in its spearphishing campaigns, providing\r\naccess to an archive of source code and operational materials. The set of PHP scripts used in these campaigns was\r\nrudimentary but had clearly been used for at least dozens of attacks. For clarity, we will refer to this codebase as\r\n\"Ishak\" – reflecting the naming of the folders in the archive.\r\nWhat was immediately striking is how closely the Ishak source code resembled previously obtained copies of\r\nFlying Kitten’s Hotmail, Yahoo, and Facebook scripts. On the most basic level, the folder that contained victims’\r\npasswords and other logs controlled external access with the same .htpasswd entry:\r\n admin:$apr1$.M.6gO9b$HKm8rKGoUMsesWMq14QsG/\r\nThe differences extend further into the code. The earliest file creation date in the Ishak codebase was December\r\n2012 – a file named \"all.php\" that does nothing but echo back the visitor’s IP address. This exact file also present\r\nin in the Flying Kitten codebase. Still other files and folders have the same structure and names, such as the log\r\nfile \"Zerang.log\" (\"clever\"). Both have blocked roughly the same sets of IP addresses through the Apache\r\n.htaccess file (mostly search engine crawlers, but potentially researchers as well).\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 3 of 13\n\nWhile the codebases are not the same, there are substantial similarities elsewhere, especially in components that\r\nwould not require updates to accommodate changes in the user interfaces of the sites they mimick. For example,\r\nin the page that logs unexpected attempts to access the site (such as expired or empty victim identifiers), the only\r\nchange was to push users to the Yahoo! homepage rather than a Persian-language pornographic site (the latter\r\nwhich was common across Flying Kitten properties).\r\nFlying Kitten, November 2013 (xn--facebook-06k.com)\r\nRocket Kitten, August 2016 (yahoo-reset.signin-useraccount-mail.com)\r\nFlying Kitten, March 2014 (drive.yahoomail.com.co)\r\nRocket Kitten, August 2016 (yahoo-drive.signin-useraccount-mail.com)\r\nThe Ishak scripts are substantially different from the Oyun\r\nspearphishing platform that Check Point documented. Tthe latter of which uses a database to store the target\r\ninformation that populates the phishing page. Instead, both the Flying Kitten and Ishak toolkits are more simple –\r\nvictim identifiers are stored as an array in a file that is essentially a phone book for the platform. The victim\r\nidentifiers appear to be manually set, which explains why in-the-wild attacks sometimes appeared with victim IDs\r\nas non-random, \"asdf\"-style sequences of characters, or target names – instead of Oyun’s number-based identifier.\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 4 of 13\n\nIshak was almost certainly used in-the-wild in attacks attributed to Rocket Kitten. The difference in parameter\r\nschemas provides indication that the Ishak codebase was used in attacks documented by others in 2015, as the\r\ndifference in URLs for those sites resembles Ishak’s approach rather the Oyun.\r\nURL Path Differences:\r\n Oyun (e.g. profiles.googel.com.inc.gs in September 2014): /?_schema=([0-9]+)\u0026rnd=([0-9]+)\r\n Ishak (e.g. user-setting.com in March 2015): /Drive-Auto/AutoSecond?Chk=([A-Z0-9]+)\r\nOther similarities exists between Ishak and past reports. ClearSky also notes that a log file was publically\r\naccessible in the attacks they observed:\r\nClearSky’s logs strongly resemble the format found both on Flying Kitten and the Ishak phishing pages, which\r\nfollow a somewhat unique format that differs slightly across copies, for example in Ishak:\r\n $data = \"$date | user:$user | email:$email | pass:-$password- | $IP | $Page$URI | $Agent | $re\r\nOne addition to the Ishak codebase related to logging and authentication that was not previously seen in Flying\r\nKitten kit, which appears to respond to ClearSky’s report:\r\nThe scripts have changed over time. The different folders capture iterative versions up to August 2016. While\r\nthere are phishing-related files as old as June 2014 in the Ishak code, the actual spearphishing activity reflected in\r\nlogs begins around February 2016. These logs reflect an active group targeting a broad range of sectors, although\r\nwith a clear focus on Iranian domestic politics. Since no publications have focused on Rocket Kitten since the\r\nCheck Point report, there is no external confirmation about the origin of these campaigns. However, our direct\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 5 of 13\n\nobservation of Rocket Kitten attacks against the human rights community runs unbroken from August 2014 to\r\npresent, and while there are shifts over time, there is also a fair amount of congruency.\r\nExamples of recorded hostnames within the Ishak logs include:\r\nnetwork.us14-userfile-permission-account-signin.com (created 2016-06-28)\r\nonedrive.signin-useraccount-mail.com (created 2016-07-26)\r\nverify-your-password-for-secure-your-account.cf (accessed 2016-06)\r\nmg5-myfile-available-signin.ga (accessed 2016-02)\r\nyahoo-drive.signin-useraccount-mail.com (created 2016-07-26)\r\nyahoo-reset.signin-useraccount-mail.com (created 2016-07-26)\r\nyour-file-drive-permission-for-download.cf (accessed 2016-05)\r\ndrive-useraccount-signin-mail.ga (accessed 2016-08)\r\nuserfile-need-permission-download-signin.com (created 2016-06-28)\r\nAside from the popular communications platforms, namely Yahoo!, Microsoft, Facebook and Google, the\r\nrepository includes sites modified for special use cases. These include attempts to target:\r\nThe Network Solutions accounts of Asharq al-Awsat, an Arabic international newspaper headquartered in\r\nLondon, and of GEM TV, a Persian-language entertainment satellite broadcaster;\r\nThe Roundcube webmail service of an Iranian medicine company;\r\nCox webmail, directed against an unknown individual; and\r\nAmerican and British universities, targeting Iran-focused scholars.\r\nThe preference of the Ishak scripts over Oyun may be explained by a change in behavior we observed in Fall\r\n2015, when Rocket Kitten was the subject of multiple publications. After these incidents, Rocket Kitten was more\r\ncircumspect about its activities. Prior to the change, Rocket Kitten provided a predictable trail across campaigns,\r\nas certain infrastructure was used across multiple targets for extended periods of time (several months).\r\nAfter the heightened level of exposure, Rocket Kitten shifted techniques to reduce the linkability and hide\r\ninfrastructure. Rather than operate within a consistent bounds of leased servers and clever domains for months,\r\nlater spearphishing attempts conducted by the group treated hosts and names as more disposable. Instead,\r\nspearphishing attempts were stood up for short-term episodes with a specific set of targets in mind. Upon\r\nindication of discovery, success, or suspicion of failure, the sites are taken offline and not reused. It stands to\r\nreason that if a server would only be used against a few targets over a couple of days, Oyun’s requirements of\r\ninstalling and configuring a database became costly. Thus Ishak would be a more flexible approach, even if not as\r\nsophisticated.\r\nAn alternative hypothesis is that Rocket Kitten is internally uncoordinated, or certain campaigns were\r\nmisattributed. Check Point’s report includes a chart of attacks that records no activity for June and July 2015,\r\nhowever, we see \"Rocket Kitten\" spearphishing attempts during this time. Similarly, while IP addresses associated\r\nwith the German satellite provider IABG are documented in multiple Rocket Kitten reports, we only see that ISP\r\nin attacks in September 2014 and not others.\r\nCase 2: Malware\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 6 of 13\n\nIn January 2017, a domain \"IranianUkNews[.]com\" was created with registration information that matched\r\npreviously identified Rocket Kitten domains and was hosted on an IP address adjacent to a Rocket Kitten\r\ncredential theft site. The domain was noteworthy since it bore a resemblance to the independent news site \"Iranian\r\nUK\" (iranianuk.com) that covers Iranian politics. The new domain was not the first case of Iranian UK being\r\nimpersonated. A series of credential theft attempts observed in September 2013 using the domain\r\n\"qooqle.com[.]co\" were hosted and registered alongside a domain \"iraniannuk[.]com\" – a campaign that marked\r\nthe beginning of a new phase in Flying Kitten’s activities.\r\nHaving flagged the domain early, we were privy to the process of the site being set up. From our monitoring of the\r\nIranianUkNews, there appeared to be two resources hosted on the suspicious domain:\r\na Persian-language page impersonating Iranian UK that we were not able to directly observe; and,\r\na fake Adobe Flash site containing a malicious Windows executable.\r\nThe Adobe Flash page that was hosted on the IranianUkNews bore immediate similarities in content to another\r\nFlying Kitten resource – the \"Plugin-Adobe[.]com\" domain that FireEye documented in Operation Saffron Rose.\r\nIn the case of Operation Saffron Rose, this domain was used to host malware, and we observed another Flying\r\nKitten page that impersonated BBC Persian (domain: \"persian-bbc.co[.]uk\") in order to deceive the visitor to\r\ninstall malware to supposedly view a video.\r\nThe full path for Flash site on new IranianUkNews domain was the following:\r\n iranianuknews.com/adobe/flashplayer/Download/78923582514/index.php?id=7892358\r\nSimilar to the case of the Flying Kitten phishing script, we had a copy of the backend of Plugin-Adobe[.]com.\r\nTimestamps of the Flying Kitten files and logs suggest their site was initially created in August 2013. A\r\ncomparison of the structure and content of the Flying Kitten page and the new site strongly indicates that they are\r\nnearly the same code. Minor differences in the CSS and Javascript of the Flash download page suggests that the\r\nattacker made small iterative changes to the original scripts, but used the original source to continue operations\r\n(including references to a version of Flash released in July 2013).\r\nLogging Functions on a Fake BBC Persian Malware Site\r\nThe functionality and behavior of the sites is similar despite the code being undisclosed. Flying Kitten was often\r\nmeticulous about logging, as the phishing script illustrates, and in that spirit their fake Adobe site would maintain\r\nlogs separated out in different files based on campaigns (defined based on URL parameters). Understanding this\r\npredictable behavior, we were able to retrieve the logs from the new Rocket Kitten site. These logs also bear a\r\nsimilarity to between themselves and the Ishak credential theft logs.\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 7 of 13\n\nFlying Kitten (2013)\r\n2013-08-07 16:39:21 | user:demo | 81.91.146.232 | plugin-adobe.com/tst.php?id=demo | Mozilla/\r\n2013-08-07 17:24:11 | user:demo | 81.91.146.232 | plugin-adobe.com/tst.php?id=demo | Mozilla/\r\n2013-08-07 17:37:01 | user:demo | 81.91.146.232 | plugin-adobe.com/tst.php?id=demo | Mozilla/\r\nRocket Kitten (2017)\r\n2017-01-04 21:03:33 | id=[78923582514] | 127.0.0.1 | 127.0.0.1/adobe/flashplayer/Download/789\r\n2017-01-24 13:59:09 | id=[78923582514] | 185.81.40.230 | iranianuknews.com/adobe/flashplayer/\r\nThe January 2017 logs demonstrate that an individual had engaged in a fair amount of testing earlier in the month\r\non a local machine prior to staging the site on the Internet. After posting the page on the IranianUkNews domain,\r\nIP addresses associated with the PureVPN service and the Iranian ISP \"Parsdade Advanced Technology\" then\r\nbegan to test the site again. Parsdade has been observed repeatedly within Rocket Kitten operations, and is not a\r\nvery large ISP. This demonstrates that the individual staging the new IranianUkNews site had both the original\r\nscripts used by Flying Kitten and was based in Iran, therefore lowering the possibility that the incident was the\r\nresult of a security researchers doing testing.\r\nMalware\r\nThe departure between our observations of Flying Kitten and the Rocket Kitten site begins at the malware\r\ndownloaded by the fake Flash page. Initially, the new IranianUkNews site would download a file with an Android\r\napplication (.APK) extension. In reality, the binary was a mislabelled Windows executable, although changing\r\nURL parameters would prompted the site to offer a .EXE file (the same file). No actual Android malware was\r\nobserved. Flying Kitten was never observed by us as targeting mobile devices, and this aspect appears to be a\r\nnewer enhancement. Rocket Kitten has been observed using Android malware as we noted last year.\r\nIn Operation Saffron Rose, FireEye documents Flying Kitten’s malware agent, \"Stealer,\" a simple keylogger with\r\nan easy-to-use builder application. The fake Flash installer on new IranianUkNews is not Stealer, but rather\r\nappears to be a predecessor that is in certain respects better designed than Stealer. The existence of another Flying\r\nKitten malware agent would account for why we found files on their command and control FTP servers in 2013\r\nthat appeared to be malware logs that were not generated by Stealer, including files with the name \"mb_1986.\"\r\nOnce again, Mojtaba. Based on static references in the malicious library, we will refer to this version as\r\n\"TKeylogger.\" Given that TKeylogger is extremely old, and has not been observed being actively used in attacks,\r\na writeup of the malware agent is not in scope for this article.\r\nIt notable that the compile time for the dropper of the TKeylogger sample is \"2009-07-13 23:42\"; which taking\r\ninto account the inclusion of the signed Mozilla binary from 2012, is clearly a fake timestamp. This exact compile\r\ntime also appears in malware samples noted in Saffron Rose, however, FireEye’s samples are confirmed to be\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 8 of 13\n\nStealer. The mozalloc.dll library itself has a compilation timestamp of \"2013-08-07 07:02,\" a couple of hours prior\r\nto the file modification time and the day same as the logs captured from Flying Kittens’ site.\r\nTKeylogger Beacon\r\nGET /tst.php?id=14258974894 HTTP/1.1\r\nUser-Agent: Mozilla/2.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\nHost: plugin-adobe.com\r\nCache-Control: no-cache\r\nOne behavior not seen in Stealer is an initial beacon upon infection to an HTTP endpoint. Stealer simply\r\nexfiltrated logs over FTP, although FireEye notes unused or incomplete code for HTTP POST, SFTP and SMTP\r\ncommunications. The unchanging value provided as an \"id\" in the beacon appears to be a unix timestamp\r\n(14258974894). The date for this \"timestamp\" would be November 2412, but shifting the value one place puts the\r\ndate at a more reasonable (but unexplained) March 9, 2015. The sample of TKeylogger acquired beacons back to\r\nthe old \"plugin-adobe[.]com,\" which we believe is still sinkholed by researchers, and there are static references in\r\nthe sample to an IP address 5.9.244[.]137 on Hetzner with a username of \"father\" and the password \"AzInjaBoro\"\r\n(\"get out of here\"). The Hetzner address also appears to have been used by Flying Kitten for other previously\r\nidentified domains four years ago.\r\nIt is also notable that within our observation of Flying Kitten, much of the activity was conducted from IP\r\naddresses within the small range assigned to a \"Jahan Pishro\" (\"World Leading\"). The sample conducting the test\r\nin the old Flying Kitten captured logs also originated from the Jahan Pishro range (81.91.146[.]232). TKeylogger\r\nsubmits this beacon with the unusual user agent \"Mozilla/2.0 (compatible; MSIE 6.0; Windows NT 5.2)\" – which\r\nagain appears in the old captured logs. This indicates that our old logs reflect the testing of TKeylogger by its\r\ndeveloper, and that our sample is similar to the original malware.\r\nHere as well, disclosure of previously undocumented malware indicates that Rocket Kitten had direct access to\r\nFlying Kitten’s tools.\r\nInfrastructure Overlap\r\nThe registration of IranianUkNews and the credential theft sites follows within a long chain of domains connected\r\nto the Rocket Kitten group based on several different indicators. For example, the registration name Hiram Ryan, a\r\nname that appears to have been taken from the registration of a small aviation company, appears in Google\r\ncredential theft domains. The domain also reflects a fingerprint of Rocket Kitten domains present since around the\r\nCheck Point report, which followed a pattern:\r\nRegistrant Name: (First) (Last)\r\nRegistrant Organization: (First or Last).co\r\nExample:\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 9 of 13\n\nDomain Name: logins-mydrive-useraccount.com\r\nCreation Date: 2015-12-17T04:00:00Z\r\nRegistrant Name: William Morse\r\nRegistrant Organization: William.co\r\nIranianUkNews[.]com Registration:\r\nRegistrant Name: Hiram Ryan\r\nRegistrant Organization: Ryan.co\r\nRegistrant Email: admin@iranianuknews.com\r\nHiram Ryan and Ryan.co, further lead to a \"cool.hiram@yandex.com\" with still more domains registered in\r\nJanuary and February 2017:\r\ndisplay-ganavaro-abrashimchi.com\r\niforget-memail-user-account.com\r\nchange-mail-accounting-register-single.com\r\nchange-user-account-mail-permission.com\r\ndisplay-error-runtime.com\r\nThe nature of some of these domains are unclear, but several have been observed in credential theft attempts, and\r\nlikely use the Ishak code.\r\nThese activities are importantly connected to the Telegram-focused credential theft and reconnaissance we\r\ndisclosed in our Black Hat presentation. The Parsdade IP address that logged onto the IranianUkNews site was\r\nalso observed conducting Telegram phishing attempts using the domain telegrem[.]org; a domain that is registered\r\nby the tracyreed.cfl@gmail.com involved in the \"shaftool\" and other API scraper domains. In fact, the\r\nghalpaq.com domain that was originally identified with the Telegram enumeration attempts was originally pointed\r\nto a LeaseWeb host identified by ClearSky in \"Thamar Reservoir.\"\r\nPassive DNS Record: 178.162.203.56\r\n2015-09-23 www.google-verify.com\r\n2015-08-10 profiles-verify.com\r\n2015-06-09 ghalpaq.com\r\n2015-03-17 www.google-setting.com\r\n2015-03-03 google-setting.com\r\n2015-03-03 google-verify.com\r\n2015-03-03 verify-ycervice.com\r\n2015-03-03 verify-yservice.com\r\n2015-03-03 ymail-service.com\r\nConclusion\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 10 of 13\n\nRocket Kitten has been substantially less active after the successive reports in Fall 2015, often nearly dormant for\r\nmonths. Whereas Rocket Kitten was previously the most prolific group, the spearphishing attempts posed to civil\r\nsociety have shifted to other operators. In the lead up to the February 2016 parliamentary election, the malware\r\n\"Infy\" became the most active threat in our monitoring, with only a few Rocket Kitten attempts. Since then, the\r\nmantle has been taken by Charming Kitten (Newcaster), Oilrig, and others.\r\nUnfortunately, it is not always clear why researchers assert that certain domains are related, imposing hurdles to\r\nscrutinizing claims. Similar targeting is not sufficient toward establishing attribution – Iranian groups generally\r\nmaintain the same focus.\r\nOn the other hand, the efforts that were labeled Rocket Kitten could have been organized in a more nebulous\r\narrangement – and Rocket Kitten was never a uniform operator to begin with. Like Iran’s \"mosaic defense\"\r\nmilitary organizing structure, the hacking efforts are clearly more decentralized and fluid than countries with\r\nadvanced cyber warfare operations. This makes tracking and attributing attacks originating from Iran all the more\r\ncomplex. These two cases touch on the core of Flying Kitten’s toolkit as we understand it with code was either\r\nrepurposed or experimented with by Rocket Kitten.\r\nThe group, whatever we call it, has still engaged in spearphishing campaigns, however, the level of\r\nprofessionalism has declined and the nature of their activities changed. This could indicate that just as Flying\r\nKitten appears to have disbursed, so has Rocket Kitten. Taken together, these differences start to define two\r\npersonalities – both described as \"Rocket Kitten\" – one using the tools tied to an individual named Yaser Balaghi\r\n(Gholee, Woolger, MPK, Oyun) and one connected to Flying Kitten tools (Ishak).\r\nIf our version of Rocket Kitten is not the real Rocket Kitten, then what is? Is it still Flying Kitten?\r\nMoving forward, this also tells a cautionary tale as researchers find fingerprints of multiple Iranian groups\r\ninvolved in attacks such as those targeting Saudi Arabia. The history of Iranian actors has shown that toolkits\r\nmove, and so do people.\r\nContact\r\nEmail\r\nClaudio (nex@amnesty.org)\r\nFingerprint: E063 75E6 B9E2 6745 656C 63DE 8F28 F25B AAA3 9B12\r\nCollin (cda@cda.io)\r\nPGP Key: https://cda.io/key.asc\r\nFingerprint: 510E 8BFC A60E 84B4 40EA 0F32 FAFB F2FA\r\nIndicators of Compromise\r\nMalware\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 11 of 13\n\nFilename\r\nMD5\r\nmozalloc.dll\r\n8ad0485fd3509042b0a477f65507f711\r\nCredential Theft from Ishak Logs\r\naccount-signin-myaccount-users.ga\r\naol.userfile-need-permission-download-signin.com\r\nchangepassword.userfile-need-permission-download-signin.com\r\ncox.userfile-need-permission-download-signin.com\r\ndrive-sigin-permissionsneed.ml\r\ndrive-useraccount-signin-mail.ga\r\ndrive.signin-account-privacymail.com\r\ndropebox.co\r\ndurham-ac-uk.userfile-need-permission-download-signin.com\r\nhangouting-signin-to-chat.ga\r\nmg5-myfile-available-signin.ga\r\nnetwork.us14-userfile-permission-account-signin.com\r\nonedrive.signin-useraccount-mail.com\r\nsecurity-supportteams-mail-change.ga\r\nsingin-your-drive.ga\r\nuserfile-need-permission-download-signin.com\r\nverify-account-for-secure.ga\r\nverify-google-password.userfile-need-permission-download-signin.com\r\nwww.drive-useraccount-signin-mail.ga\r\nyahoo-drive.signin-useraccount-mail.com\r\nyahoodrive.signin-account-privacymail.com\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 12 of 13\n\nyour-file-drive-permission-for-download.cf\r\nSource: https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nhttps://iranthreats.github.io/resources/attribution-flying-rocket-kitten/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/" ], "report_names": [ "attribution-flying-rocket-kitten" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439006, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9438e386c33f672058a0037dcaa0cfffa3532533.pdf", "text": "https://archive.orkl.eu/9438e386c33f672058a0037dcaa0cfffa3532533.txt", "img": "https://archive.orkl.eu/9438e386c33f672058a0037dcaa0cfffa3532533.jpg" } }