{ "id": "534bcde2-df30-408f-bcc5-c42e655f654a", "created_at": "2026-04-06T00:06:29.390571Z", "updated_at": "2026-04-10T03:35:28.906032Z", "deleted_at": null, "sha1_hash": "9e10c53bcb169107a22b8eef9ea6162a753ce736", "title": "Domestic Kitten APT Operates in Silence Since 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1322490, "plain_text": "Domestic Kitten APT Operates in Silence Since 2016\r\nBy Ionut Ilascu\r\nPublished: 2018-09-07 · Archived: 2026-04-05 15:56:40 UTC\r\nAn extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive\r\ninformation on the device along with surrounding voice recordings.\r\nResearchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish\r\nnatives, and ISIS supporters, all Iranian citizens.\r\nThe data collected by Domestic Kitten from compromised phones includes a wealth of information, as detailed below:\r\nhttps://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\ncontact lists\r\ncall records\r\ntext and multimedia messages\r\nbrowser history and bookmarks\r\ngeographical location\r\nphotos\r\nrecordings of nearby conversations\r\nlist of installed apps\r\nclipboard content\r\ndata on external storage\r\nMalicious code steals clipboard content\r\nThe operation may be active since 2016\r\nThe threat actor uses three mobile applications that are of interest to the potential victims: a wallpaper changer, an app\r\npurporting to offer news updates from ANF (a legitimate Kurdish news website), and a fake version of the Vidogram\r\nmessaging app.\r\nThe wallpaper changer is designed to lure victims by offering them ISIS-related pictures to set as the screen background.\r\nhttps://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nPage 3 of 5\n\nWallpaper changer app\r\nThe certificate used for signing all three apps, a requirement installing them on an Android device, was issued in 2016. This\r\nsuggests that the campaign escaped detection for two years.\r\nTo exfiltrate data from a compromised device the apps use HTTP POST requests to the command and control (C2) server\r\navailable at newly registered domains.\r\nOne of the apps also contacts a website (firmwaresystemupdate[.]com) that resolved to an Iranian IP address initially but\r\nchanged to a Russian address.\r\nAll data delivered to the C2 is encrypted with the AES algorithm and can be decrypted with a device ID the attacker creates\r\nfor each victim.\r\nDomestic Kitten Makes Thousands of Collateral Victims\r\nhttps://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nPage 4 of 5\n\nCheckPoint's analysis shows that 240 users have fallen victim to operation Domestic Kitten. More than 97% of them are\r\nIranians, the rest being victims in Afghanistan, Iraq and Great Britain.\r\nHowever, due to the comprehensive nature of the surveillance of the campaign, private information of thousands of\r\nindividuals has been compromised.\r\nThey are not necessarily the object of the surveillance, but collateral victims whose details were leaked from contact lists or\r\nconversations with the targets.\r\nClues point to state-backed Iranian APT\r\nIn a report shared with BleepingComputer, the researchers say that the operator of Domestic Kitten remains unconfirmed,\r\nbut based on the political conditions in the region they believe Iranian government entities are behind it.\r\n\"Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the\r\nIranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish\r\nminority settled mainly in Western Iran,\" CheckPoint explains.\r\nThey say that the nature of the targets, the apps and the attack infrastructure are clues that support the theory of an Iranian\r\norigin.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nhttps://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/" ], "report_names": [ "domestic-kitten-apt-operates-in-silence-since-2016" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e10c53bcb169107a22b8eef9ea6162a753ce736.pdf", "text": "https://archive.orkl.eu/9e10c53bcb169107a22b8eef9ea6162a753ce736.txt", "img": "https://archive.orkl.eu/9e10c53bcb169107a22b8eef9ea6162a753ce736.jpg" } }