{ "id": "54653e0b-45bb-4639-b2f4-12ac8773951a", "created_at": "2026-04-06T00:19:00.155638Z", "updated_at": "2026-04-10T03:37:55.947115Z", "deleted_at": null, "sha1_hash": "a308c1caadd0072383777d79d25f140b0c48d2b3", "title": "Charming Kitten", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 132378, "plain_text": "Charming Kitten\r\nBy Contributors to Wikimedia projects\r\nPublished: 2019-09-10 · Archived: 2026-04-05 21:14:02 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nCharming Kitten\r\nFormation c. 2004–2007[1]\r\nType Advanced persistent threat\r\nPurpose Cyberespionage, cyberwarfare\r\nRegion Middle East\r\nMethods Zero-days, spearphishing, malware, Social Engineering, Watering Hole\r\nMembership At least 5\r\nOfficial language Persian\r\nParent organization IRGC\r\nAffiliations Rocket Kitten APT34 APT33\r\nFormerly called\r\nAPT35\r\nTurk Black Hat\r\nAjax Security Team\r\nPhosphorus\r\nCharming Kitten, also called APT35 (by Mandiant), Phosphorus or Mint Sandstorm (by Microsoft[1]), Ajax\r\nSecurity (by FireEye[2]), and NewsBeef (by Kaspersky[3][4]) is an Iranian government cyberwarfare group,\r\ndescribed by several companies and government officials as an advanced persistent threat (APT).\r\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) has identified Charming Kitten as\r\none of several Iranian state-aligned actors that target civil society organizations, including journalists, academics,\r\nand human rights defenders, in the United States, Europe, and the Middle East, as part of efforts to collect\r\nintelligence, manipulate discourse, and suppress dissent.[5]\r\nhttps://en.wikipedia.org/wiki/Charming_Kitten\r\nPage 1 of 5\n\nThe group is known to conduct phishing campaigns that impersonate legitimate organizations and websites, using\r\nfake accounts and domains to harvest user credentials.[6]\r\nThe entire national mass surveillance \"Kashef\" database software and its domain \" built by the IRGC CYBER\r\nCOM to spy on Iranian public was hacked in 2025 as well real life identities of the entire chain of command from\r\nthe hacker groups, with its CEO main runner of a front corporation \"Amn Afzar company \" being IRGC\r\ncommander Nilofar Bagheri.[7]\r\nNational mass surveillance software used by Unit40, by Iran International\r\n https://vimeo.com/1137702960/faabbbf3a4\r\nWitt defection (2013)\r\n[edit]\r\nIn 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica\r\nWitt defected to Iran[8] knowing she might incur criminal charges by the United States for doing so.[citation needed]\r\nHer giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare\r\noperation that targeted US military contractors.[citation needed]\r\nHBO cyberattack (2017)\r\n[edit]\r\nIn 2017, following a cyberattack on HBO, a large-scale joint investigation was launched on the grounds that\r\nconfidential information was being leaked. A conditional statement by a hacker going by alias Sokoote Vahshat\r\n(Persian وحشت سکوت lit. 'Silence of Fear') said that if money was not paid, scripts of television episodes, including\r\nepisodes of Game of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which\r\nwas shows and episodes that had not been broadcast at the time.[9] HBO has since stated that it would take steps to\r\nmake sure that they would not be breached again.[10]\r\nBehzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit\r\nthat had leaked confidential information.[11]\r\nAccording to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The\r\nIranian government denied any involvement.[12][13]\r\nSecond indictment (2019)\r\n[edit]\r\nA federal grand jury in the United States District Court for the District of Columbia indicted Witt on espionage\r\ncharges (specifically \"conspiracy to deliver and delivering national defense information to representatives of the\r\nIranian government\"). The indictment was unsealed on February 19, 2019. In the same indictment, four Iranian\r\nhttps://en.wikipedia.org/wiki/Charming_Kitten\r\nPage 2 of 5\n\nnationals—Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar—were charged with\r\nconspiracy, attempting to commit computer intrusion, and aggravated identity theft, for a campaign in 2014 and\r\n2015 that sought to compromise the data of Witt's former co-workers.[14]\r\nIn March 2019, Microsoft took ownership of 99 DNS domains owned by the Iranian government-sponsored\r\nhackers, in a move intended to decrease the risk of spear-phishing and other cyberattacks.[15]\r\nMedia impersonation campaign (2019-2020)\r\n[edit]\r\nIn 2020, Reuters reported that Charming Kitten targeted critics of the Iranian government, academics, and\r\njournalists, such as Erfan Kasraie and Hassan Sarbakhshian, who received fake interview requests designed to\r\nharvest email credentials. The emails impersonated reporters from outlets like The Wall Street Journal, CNN, and\r\nDeutsche Welle, sometimes asking recipients to enter Google passwords or sign bogus contracts. Cybersecurity\r\nfirms Certfa, ClearSky, and Secureworks attributed the operation to Charming Kitten based on tactics,\r\ninfrastructure, and targeting.[16]\r\n2020 election interference attempts (2019)\r\n[edit]\r\nAccording to Microsoft, in a 30-day period between August and September 2019, Charming Kitten made 2,700\r\nattempts to gain information regarding targeted email accounts.[17] This resulted in 241 attacks and 4\r\ncompromised accounts. Although the initiative was deemed to have been aimed at a United States presidential\r\ncampaign, none of the compromised accounts were related to the election.\r\nMicrosoft did not reveal who specifically was targeted, but a subsequent report by Reuters claimed it was Donald\r\nTrump's re-election campaign.[18] This assertion is corroborated by the fact that only the Trump campaign used\r\nMicrosoft Outlook as an email client.\r\nIran denied any involvement in election meddling, with the Iranian Foreign Minister Mohammad Javad Zarif\r\nstating \"We don’t have a preference in your election [the United States] to intervene in that election,\" and \"We\r\ndon’t interfere in the internal affairs of another country,\" in an interview on NBC's \"Meet The Press\".[19]\r\nCybersecurity experts at Microsoft and third-party firms such as ClearSky Cyber Security maintain that Iran,\r\nspecifically Charming Kitten, was behind the attempted interference, however. In October 2019, ClearSky\r\nreleased a report supporting Microsoft's initial conclusion.[20] In the report, details about the cyberattack were\r\ncompared to those of previous attacks known to originate from Charming Kitten. The following similarities were\r\nfound:\r\nSimilar victim profiles. Those targeted fell into similar categories. They were all people of interest to Iran\r\nin the fields of academia, journalism, human rights activism, and political opposition.\r\nTime overlap. Verified Charming Kitten activity was ramping up within the same timeframe that the\r\nelection interference attempts were made.\r\nhttps://en.wikipedia.org/wiki/Charming_Kitten\r\nPage 3 of 5\n\nConsistent attack vectors. The methods of attack were similar, with the malicious agents relying on spear-phishing via SMS texts.\r\nOperational exposure (2020)\r\n[edit]\r\nIn 2020, IBM’s X-Force IRIS team uncovered over 40GB of data from Charming Kitten, including training videos\r\nshowing operatives hacking email and social media accounts. The footage included access to accounts of US and\r\nHellenic Navy personnel, failed phishing attempts on US officials, and use of tools like Zimbra to manage stolen\r\ncredentials. Researchers described the discovery as a rare insight into the group’s methods and suggested it\r\nshowed limited ability to bypass multi-factor authentication.\r\n[21]\r\nHYPERSCRAPE data theft tool (2022)\r\n[edit]\r\nOn August 23, 2022, a Google Threat Analysis Group (TAG) blog post revealed a new tool developed by\r\nCharming Kitten to steal data from well-known email providers (i.e. Google, Yahoo!, and Microsoft).[22] This tool\r\nneeds the target's credentials to create a session on its behalf. It acts in such a way that using old-style mail\r\nservices looks normal to the server and downloads the victim's emails, and does some changes to hide its\r\nfingerprint.\r\nPer the report, the tool is developed on the windows platform but not for the victim's machine. It uses both\r\ncommand line and GUI to enter credentials or other required resources like cookies.\r\nActivist targeting in Europe (2023)\r\n[edit]\r\nIn September 2023, Germany’s domestic intelligence agency issued a public warning about “concrete spying\r\nattempts” by the Iranian-linked hacker group Charming Kitten, according to The Guardian. The report followed\r\nincidents documented across several European countries in which Iranian activists experienced hacking attempts,\r\ncyberattacks, online harassment, and threats of physical harm. Activists in Germany, France, the UK, and Spain\r\nwere reportedly warned by local authorities about threats allegedly linked to Iranian cyber actors.[23]\r\nSony Pictures hack\r\nMonica Witt\r\n1. ^ \"Microsoft uses court order to shut down APT35 websites\". CyberScoop. March 27, 2019. Archived from\r\nthe original on February 6, 2023. Retrieved September 10, 2019.\r\n2. ^ \"Ajax Security Team lead Iran-based hacking groups\". Security Affairs. May 13, 2014. Archived from the\r\noriginal on December 2, 2022. Retrieved September 10, 2019.\r\n3. ^ \"Freezer Paper around Free Meat\". securelist.com. April 27, 2016. Archived from the original on\r\nJanuary 28, 2023. Retrieved September 10, 2019.\r\nhttps://en.wikipedia.org/wiki/Charming_Kitten\r\nPage 4 of 5\n\n4. ^ Bass, Dina. \"Microsoft Takes on Another Hacking Group, This One With Links to Iran\".\r\nnews.bloomberglaw.com. Archived from the original on December 2, 2022. Retrieved September 10, 2019.\r\n5. ^ \"Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society\" (PDF). U.S.\r\nCybersecurity and Infrastructure Security Agency (CISA). May 14, 2024. Retrieved April 25, 2025.\r\n6. ^ \"Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign\". Security\r\nAffairs. July 3, 2018. Archived from the original on December 4, 2022. Retrieved September 10, 2019.\r\n.com.iranintl.content .\"افشای هویت مدیران »اداره ۴۰« اطالعات سپاه؛بزرگرتین بانک اطالعاتی جاسوسی تهران\" ^ 7.\r\nRetrieved December 5, 2025.\r\n8. ^ Blinder, Alan; Turkewitz, Julie; Goldman, Adam (February 16, 2019). \"Isolated and Adrift, an American\r\nWoman Turned Toward Iran\". The New York Times. ISSN 0362-4331. Archived from the original on\r\nFebruary 17, 2019. Retrieved April 23, 2022.\r\n9. ^ \"The HBO hack: what we know (and what we don't) - Vox\". August 5, 2017. Archived from the original\r\non April 23, 2019. Retrieved September 10, 2019.\r\n10. ^ Petski, Denise (July 31, 2017). \"HBO Confirms It Was Hit By Cyber Attack\".\r\n11. ^ \"HBO Hacker Was Part of Iran's \"Charming Kitten\" Elite Cyber-Espionage Unit\". BleepingComputer.\r\n12. ^ \"Iranian Hackers Target Nuclear Experts, US Officials\". Dark Reading. December 15, 2018.\r\n13. ^ Satter, Raphael (December 13, 2018). \"AP Exclusive: Iran hackers hunt nuclear workers, US targets\".\r\nAP NEWS.\r\n14. ^ \"Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians\r\nCharged With a Cyber Campaign Targeting Her Former Colleagues\" (Press release). United States\r\nDepartment of Justice, Office of Public Affairs. February 13, 2019.\r\n15. ^ \"Microsoft seizes 99 domains owned by Iranian state hackers\". News @ WebHosting.info. March 28,\r\n2019. Archived from the original on January 19, 2021. Retrieved September 10, 2019.\r\n16. ^ \"Exclusive: Iran-linked hackers pose as journalists in email scam\". Reuters. February 5, 2020. Retrieved\r\nApril 25, 2025.\r\n17. ^ \"Recent cyberattacks require us all to be vigilant\". Microsoft On the Issues. October 4, 2019. Archived\r\nfrom the original on October 4, 2019. Retrieved December 10, 2020.\r\n18. ^ Bing, Christopher; Satter, Raphael (October 4, 2019). \"Exclusive: Trump campaign targeted by Iran-linked hackers - sources\". Reuters.\r\n19. ^ AP. \"Iran denies US election meddling, claims it has no preference\". The Times of Israel. ISSN 0040-\r\n7909. Retrieved December 10, 2020.\r\n20. ^ \"The Kittens Are Back in Town 2\" (PDF). ClearSky Cyber Security. October 2019. Archived (PDF) from\r\nthe original on September 9, 2024. Retrieved September 9, 2024.\r\n21. ^ \"Iranian state hackers caught with their pants down in intercepted videos\". Ars Technica. July 17, 2020.\r\nRetrieved April 25, 2025.\r\n22. ^ Bash, Ajax (August 23, 2022). \"New Iranian APT data extraction tool\". Threat Analysis Group (TAG).\r\nArchived from the original on September 9, 2024. Retrieved September 9, 2024.\r\n23. ^ \"Iranian activists across Europe are targets of threats and harassment\". The Guardian. September 22,\r\n2023. Retrieved April 25, 2025.\r\nSource: https://en.wikipedia.org/wiki/Charming_Kitten\r\nhttps://en.wikipedia.org/wiki/Charming_Kitten\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Charming_Kitten" ], "report_names": [ "Charming_Kitten" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434740, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a308c1caadd0072383777d79d25f140b0c48d2b3.pdf", "text": "https://archive.orkl.eu/a308c1caadd0072383777d79d25f140b0c48d2b3.txt", "img": "https://archive.orkl.eu/a308c1caadd0072383777d79d25f140b0c48d2b3.jpg" } }