{ "id": "88ee4a64-1a0d-4209-8a03-8f1736e57bba", "created_at": "2026-04-06T00:08:21.272229Z", "updated_at": "2026-04-10T03:37:55.871361Z", "deleted_at": null, "sha1_hash": "a82b849af1d187d87dc4d868bbe9c231a50b945e", "title": "Rocket Kitten", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78737, "plain_text": "Rocket Kitten\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-12-26 ยท Archived: 2026-04-02 10:34:54 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nRocket Kitten or the Rocket Kitten Group is a hacker group thought to be linked to the Iranian government.[1]\r\nThe threat actor group has targeted a variety of organizations and individuals, particularly in the Middle East,\r\nincluding Israel, Saudi Arabia, Iran, the United States, and the Netherlands.\r\nCybersecurity firm FireEye first identified the group as Ajax Security Team,\r\n[2]\r\n writing that the group appears to\r\nhave been formed in 2010 by the hacker personas \"Cair3x\" and \"HUrr!c4nE!\". By 2012, the threat actor group\r\nturned their focus to Iran's political opponents.[3] Their targeted attack campaigns, dubbed \"Rocket Kitten\", have\r\nbeen known since mid-2014.[4] By 2013 or 2014, Rocket Kitten had shifted its focus to malware-based\r\ncyberespionage.[3]\r\nSecurity firm Check Point describes Rocket Kitten as an \"attacker group of Iranian origin.\"[1]\r\nRocket Kitten's code uses Persian language references. The group's targets are involved in defense, diplomacy,\r\ninternational affairs, security, policy research, human rights, and journalism. According to Check Point, the group\r\nhas targeted Iranian dissidents, the Saudi royal family, Israeli nuclear scientists and NATO officials. Security\r\nresearchers found that they carried out a \"common pattern of spearphishing campaigns reflecting the interests and\r\nactivities of the Iranian security apparatus.\"[4] Other researchers determined that Rocket Kitten's attacks bore a\r\nsimilarity to those attributed to Iran's Revolutionary Guards.\r\n[4]\r\n Intelligence officials from the Middle East and\r\nEurope linked Rocket Kitten to the Iranian military establishment.[2] Rocket Kitten favours a Remote Access\r\nTrojan,\r\n[5]\r\n and by 2015, researchers found it was using customised malware.[2]\r\nOperation Saffron Rose\r\n[edit]\r\nCybersecurity firm FireEye released a report in 2013 finding that Rocket Kitten had conducted several\r\ncyberespionage operations against United States defense industrial base companies. The report also detailed the\r\ntargeting of Iranian citizens who use anti-censorship tools to bypass Iran's Internet filters.[3]\r\nOperation Woolen-Goldfish\r\n[edit]\r\nTrend Micro identified the Operation Woolen-Goldfish campaign in a March 2015 paper. The campaign included\r\nimproved spearphishing content.[1]\r\nhttps://en.wikipedia.org/wiki/Rocket_Kitten\r\nPage 1 of 2\n\nIn November 2015, security errors by Rocket Kitten allowed the firm Check Point to gain password-less root\r\naccess to \"Oyun\", the hackers' back-end database. They discovered an application that was able to generate\r\npersonalized phishing pages and contained a list of over 1,842 individual targets.[2][6] Among Rocket Kitten's\r\nspearphishing targets from June 2014 to June 2015, 18% were from Saudi Arabia, 17% were from the United\r\nStates, 16% were from Iran, 8% were from the Netherlands, and 5% were from Israel.[2] Analysts used credentials\r\nto access key logs of the group's victims and found that Rocket Kitten had apparently tested their malware on their\r\nown workstations and failed to erase the logs from the data files.[6] Check Point identified an individual named\r\nYaser Balaghi, going by Wool3n.H4t, as a ringleader of the operation.[5]\r\nIn August 2016, researchers identified Rocket Kitten as being behind a hack of Telegram, a cloud-based instant\r\nmessaging service. The hackers exploited Telegram's reliance on SMS verification, comprising over a dozen\r\naccounts and stealing the user IDs and telephone numbers of 15 million Iranians who use the software. Opposition\r\norganizations and reformist political activists were among the victims.[4]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Rocket Kitten: A Campaign With 9 Lives\" (PDF). Check Point. 2015.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Jones, Sam (April 26, 2016). \"Cyber warfare: Iran opens a new front\". Financial\r\nTimes.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Operation Saffron Rose\" (PDF). FireEye. 2013. Retrieved 26 December 2016.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Menn, Joseph; Torbati, Yeganeh (2 August 2016). \"Exclusive: Hackers accessed\r\nTelegram messaging accounts in Iran - researchers\". Reuters.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n Carman, Ashley (9 November 2015). \"Supposed mastermind behind 'Rocket Kitten' APT\r\nidentified in research paper\". SC Magazine US.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n Muncaster, Phil (10 November 2015). \"Opsec Blunders Expose Rocket Kitten\r\nMasterminds\". Infosecurity Magazine.\r\nThe Spy Kittens Are Back: Rocket Kitten 2, Trend Micro.\r\nSource: https://en.wikipedia.org/wiki/Rocket_Kitten\r\nhttps://en.wikipedia.org/wiki/Rocket_Kitten\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://en.wikipedia.org/wiki/Rocket_Kitten" ], "report_names": [ "Rocket_Kitten" ], "threat_actors": [ { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434101, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a82b849af1d187d87dc4d868bbe9c231a50b945e.pdf", "text": "https://archive.orkl.eu/a82b849af1d187d87dc4d868bbe9c231a50b945e.txt", "img": "https://archive.orkl.eu/a82b849af1d187d87dc4d868bbe9c231a50b945e.jpg" } }