{
	"id": "c7ac4163-3785-4ba9-ae97-ffd516a79fda",
	"created_at": "2026-04-06T00:18:12.172144Z",
	"updated_at": "2026-04-10T03:37:55.861997Z",
	"deleted_at": null,
	"sha1_hash": "953add6328491010089ef09b1dc9bf7fb255fe45",
	"title": "Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256262,
	"plain_text": "Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and\r\nthe GHOLE campaign\r\nArchived: 2026-04-05 13:54:05 UTC\r\n open on a new tabView research paper: Operation Woolen Goldfish: When\r\nKittens Go Phishing\r\nRocket Kitten refers to a cyber threat group that has been hitting different public and private Israeli/European\r\norganizations. It has launched two campaigns so far: a malware campaign that exclusively makes use of GHOLE\r\nmalware, as well as a targeted attack dubbed as “Operation Woolen-GoldFish” that's possibly state-sponsored.\r\nGHOLE is a malware family that was discussed in the 31st Chaos Communication Congress of the Chaos\r\nComputer Club (31C3), during a lecture that tackled its ongoing involvement in targeted attacks. Based on the\r\ncompilation date of its oldest samples, the malware is believed to have been active since 2011, and has been used\r\nby Rocket Kitten in their targeted attacks.\r\nOperation Woolen-GoldFish, on the other hand, is a cyber attack campaign that we suspect to be state-sponsored,\r\nor at the very least politically-motivated. It has been attacking the following targets:\r\nCivilian organizations in Israel\r\nAcademic organizations in Israel\r\nGerman speaking government organizations\r\nEuropean government organizations\r\nEuropean private companies\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing\r\nPage 1 of 4\n\nBackground, Analysis, Findings\r\nGHOLE Malware Campaign:\r\nIn February 2015, we received an alert that involved an infected Excel file that, upon analysis, proved to be\r\npart of the GHOLE malware campaign, one of Rocket Kitten’s campaigns.\r\nThe GHOLE malware campaign involves victims being sent spear-phishing emails with malicious\r\nattachments. The attachment is usually an Excel file that contains a malicious macro.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing\r\nPage 2 of 4\n\nWhen clicked, the Excel file drops a .DLL file that will then be executed by the malicious macro embedded\r\nin the Excel file.\r\nThe Excel file is tailored to trick the user into running the macro. If the user does not enable the macro\r\ncontent, the .DLL file will not be executed.\r\nGHOLE is a malware family derived from a modified Core Impact product. Core Impact is a penetration-testing product made by Core Security, a legitimate company.\r\nFurther analysis revealed that the GHOLE variants involved in the operation connect to C\u0026C servers\r\nhosted mainly in Germany. The servers are registered under one customer by the name of Mehdi Mavadi.\r\nWe are hesitant in attributing the attack to such an identity as the name itself is quite common, and that the\r\ncustomer’s servers may simply be compromised and being used as a proxy rather than actually providing\r\ninfrastructure for the Rocket Kitten group.\r\nOperation Woolen-GoldFish:       \r\nSimilar to the GHOLE malware campaign, Operation Woolen Goldfish involves spear-phishing\r\nemailsembedded with a malicious link that leads to a OneDrive link. The link goes directly to a malicious\r\nfile download.\r\nThe malware payload was initially found to be a variant of GHOLE, but further samples led to te discovery\r\nof a new payload: a variant of a keylogger known as the CWoolger keylogger. It is detected as\r\nTSPY_WOOLERG.A.\r\nPossible Attribution\r\nAnalyzing the malicious documents in the spear phishing emails of their Microsoft Office metadata, we narrowed\r\ndown the suspects to one “Wool3n.H4t”, whose name appears in most of the document samples found as the last\r\nknown modifier.  His other accomplices include entities who go by the names “aikido1” and “Hoffman”.\r\nWe looked deeper into the identity of Wool3n.H4t and discovered the following:\r\nHe may have been running an underground hacking blog under the same nickname, with the only two\r\nentries signed by “Masoud_pk”\r\n“Masoud_pk” may possibly be the true identity of Wool3n.H4t. “Masoud” belongs in the top 500\r\ncommonly used first names in Iran.\r\n A debug string found in the CWoolger keylogger code shows that the compiler is identified as\r\nWool3n.H4T.\r\nConclusion\r\nThis report explores Rocket Kitten by analyzing the tools used to leverage its malicious activities. From our\r\nfindings we can definitely say that threat actor team is alive and active, and while the tracks they left behind—as\r\nwell as their use of macros—might make them seem a bit inexperienced, they are slowly improving and gaining\r\ntraction.\r\nWe are also able to confirm that Wool3n.H4T is not only responsible for most of the infecting Office documents\r\nused, but also capable of developing malware.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing\r\nPage 3 of 4\n\nWith all the evidence, Rocket Kitten’s attacks can be construed as politically-motivated, as the targeted entities do\r\nshare a particular interest in the Islamic Republic of Iran. While motives behind targeted attack campaigns differ,\r\nthe end results are one and the same: shift in power control either in the economically or politically.\r\nRead the research paper Operation Woolen-GoldFish: When Kittens Go Phishing for a full, detailed look into the\r\nactivities and methods of Rocket Kitten.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing"
	],
	"report_names": [
		"operation-woolen-goldfish-when-kittens-go-phishing"
	],
	"threat_actors": [
		{
			"id": "b0261705-df2e-4156-9839-16314250f88a",
			"created_at": "2023-01-06T13:46:38.373617Z",
			"updated_at": "2026-04-10T02:00:02.947842Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Operation Woolen-Goldfish",
				"Thamar Reservoir",
				"Timberworm",
				"TEMP.Beanie",
				"Operation Woolen Goldfish"
			],
			"source_name": "MISPGALAXY:Rocket Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8faa11f5-2a14-479c-9ea8-3779e6de9749",
			"created_at": "2022-10-25T15:50:23.814205Z",
			"updated_at": "2026-04-10T02:00:05.308465Z",
			"deleted_at": null,
			"main_name": "Ajax Security Team",
			"aliases": [
				"Ajax Security Team",
				"Operation Woolen-Goldfish",
				"AjaxTM",
				"Rocket Kitten",
				"Flying Kitten",
				"Operation Saffron Rose"
			],
			"source_name": "MITRE:Ajax Security Team",
			"tools": [
				"sqlmap",
				"Havij"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434692,
	"ts_updated_at": 1775792275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/953add6328491010089ef09b1dc9bf7fb255fe45.pdf",
		"text": "https://archive.orkl.eu/953add6328491010089ef09b1dc9bf7fb255fe45.txt",
		"img": "https://archive.orkl.eu/953add6328491010089ef09b1dc9bf7fb255fe45.jpg"
	}
}