{
	"id": "10c79c0f-7349-47e7-ba05-69c4962ef7b9",
	"created_at": "2026-04-06T00:12:49.586837Z",
	"updated_at": "2026-04-10T03:37:55.854768Z",
	"deleted_at": null,
	"sha1_hash": "a4acd5e3eb25d169cf25b70c626b6ed2d94f6b7c",
	"title": "Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38463,
	"plain_text": "Thamar Reservoir – An Iranian cyber-attack campaign against\r\ntargets in the Middle East – ClearSky Cyber Security\r\nPublished: 2015-06-03 · Archived: 2026-04-05 16:07:26 UTC\r\nThis report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate\r\nit may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar\r\nE. Gindin, who exposed new information about the attack and is currently assisting with the investigation.\r\nThe campaign includes several different attacks with the aim of taking over the target’s computer or gain access to\r\ntheir email account. We estimate that this access is used for espionage or other nation-state interests, and not for\r\nmonetary gain or hacktivism. In some cases, the victim is not the final target; the attackers use the infected\r\ncomputer, email, or stolen credentials as a platform to further attack their intended target.\r\nThe attackers are extremely persistent in their attempts to breach their targets.  These attempts include:\r\nBreaching trusted websites to set up fake pages\r\nMulti-stage malware\r\nMultiple spear phishing emails based on reconnaissance and information gathering.\r\nPhone calls to the target.\r\nMessages on social networks.\r\nWhile very successful in their attacks – the attackers are clearly not technically sophisticated. They are not new to\r\nhacking, but do make various mistakes – such as grammatical errors, exposure of attack infrastructure, easy to\r\nbypass anti analysis techniques, lack of code obfuscation, and more.\r\nThese mistakes enabled us to learn about their infrastructure and methods. More importantly, we have learned of\r\n550 targets, most of them in the Middle East, from various fields: research about diplomacy,  Middle East and\r\nIran, international relations, and other fields; Defense and security; Journalism and human rights; and more.\r\nBelow is the target distribution by country (click the image for full size):\r\nCountry distribution\r\nVarious characteristics of the attacks and their targets bring us to the conclusion that the threat actors are Iranian.\r\nIn addition, we note that these attacks share characteristics with previously documented activities:\r\nAttacks conducted using the Gholee malware, which we discovered.\r\nAttacks reported by Trend Micro in Operation Woolen-Goldfish.\r\nAttacks conducted by the Ajax Security Team as documented by FireEye.\r\nAttacks seen during Newscaster as documented by iSight.\r\nRead the full report: Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle\r\nEast\r\nhttps://www.clearskysec.com/thamar-reservoir/\r\nPage 1 of 2\n\nSource: https://www.clearskysec.com/thamar-reservoir/\r\nhttps://www.clearskysec.com/thamar-reservoir/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.clearskysec.com/thamar-reservoir/"
	],
	"report_names": [
		"thamar-reservoir"
	],
	"threat_actors": [
		{
			"id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8",
			"created_at": "2022-10-25T16:07:23.645758Z",
			"updated_at": "2026-04-10T02:00:04.700158Z",
			"deleted_at": null,
			"main_name": "Flying Kitten",
			"aliases": [
				"Ajax Security Team",
				"Flying Kitten",
				"G0130",
				"Group 26",
				"Operation Saffron Rose"
			],
			"source_name": "ETDA:Flying Kitten",
			"tools": [
				"Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0",
			"created_at": "2023-01-06T13:46:38.357581Z",
			"updated_at": "2026-04-10T02:00:02.941254Z",
			"deleted_at": null,
			"main_name": "Flying Kitten",
			"aliases": [
				"Saffron Rose",
				"AjaxSecurityTeam",
				"Ajax Security Team",
				"Group 26",
				"Sayad",
				"SaffronRose"
			],
			"source_name": "MISPGALAXY:Flying Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b0261705-df2e-4156-9839-16314250f88a",
			"created_at": "2023-01-06T13:46:38.373617Z",
			"updated_at": "2026-04-10T02:00:02.947842Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Operation Woolen-Goldfish",
				"Thamar Reservoir",
				"Timberworm",
				"TEMP.Beanie",
				"Operation Woolen Goldfish"
			],
			"source_name": "MISPGALAXY:Rocket Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8faa11f5-2a14-479c-9ea8-3779e6de9749",
			"created_at": "2022-10-25T15:50:23.814205Z",
			"updated_at": "2026-04-10T02:00:05.308465Z",
			"deleted_at": null,
			"main_name": "Ajax Security Team",
			"aliases": [
				"Ajax Security Team",
				"Operation Woolen-Goldfish",
				"AjaxTM",
				"Rocket Kitten",
				"Flying Kitten",
				"Operation Saffron Rose"
			],
			"source_name": "MITRE:Ajax Security Team",
			"tools": [
				"sqlmap",
				"Havij"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434369,
	"ts_updated_at": 1775792275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4acd5e3eb25d169cf25b70c626b6ed2d94f6b7c.pdf",
		"text": "https://archive.orkl.eu/a4acd5e3eb25d169cf25b70c626b6ed2d94f6b7c.txt",
		"img": "https://archive.orkl.eu/a4acd5e3eb25d169cf25b70c626b6ed2d94f6b7c.jpg"
	}
}