{ "id": "75f9bc72-aa6c-4a75-87e3-410ba3b36d44", "created_at": "2026-04-06T00:07:26.171128Z", "updated_at": "2026-04-10T03:34:16.422352Z", "deleted_at": null, "sha1_hash": "b3a2d495f4aa295790b967320667d1a3ebe7f7ba", "title": "Domestic Kitten – An Inside Look at the Iranian Surveillance Operations - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98006, "plain_text": "Domestic Kitten – An Inside Look at the Iranian Surveillance\r\nOperations - Check Point Research\r\nBy etal\r\nPublished: 2021-02-08 · Archived: 2026-04-05 13:19:46 UTC\r\nOverview\r\nDespite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not stopped conducting extensive\r\nsurveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime,\r\nincluding internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.\r\nIn this paper, Check Point Research reveals the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical\r\nanalysis of the FurBall malware used since the beginning of the operation, its origin, and observed covers used to\r\nconceal the malware’s true nature.\r\nGeneral\r\nCheck Point researchers recently uncovered the full extent of Domestic Kitten’s  extensive surveillance operation\r\nagainst Iranian citizens that could pose a threat to the stability of the Iranian regime. The operation itself is linked\r\nto the Iranian government, and executed by APT-C-50.\r\nStarting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200 individuals with more\r\nthan 600 successful infections.  It includes 4 currently active campaigns, the most recent of which began in\r\nNovember 2020.\r\nIn these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian\r\nblog site, Telegram channels, and even by SMS with a link to the malicious application.\r\nThe capabilities of the Domestic Kitten malware (which we are calling FurBall), include: collecting device\r\nidentifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording,\r\nstealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device\r\nlocation, stealing files from the external storage, and more. For a full list of commands, see the Technical Analysis\r\nsection.\r\nCampaigns \u0026 Victims\r\nAlmost all of the campaigns we observed use the same infrastructure that Domestic Kitten used back in 2018, the\r\nC\u0026C hXXp://www[.]firmwaresystemupdate[.]com. We differentiate between campaigns by the URI segment of\r\nthe C\u0026C server. For example, in the most recent campaign the full C\u0026C address is\r\nhXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign for obvious reasons).\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 1 of 17\n\nCampaign Start End\r\nhass November 2020 Currently active\r\nor May 2020 June 2020\r\nmat December 2019 July 2020\r\nhj May 2019 April 2020\r\noth June 2018 Currently active\r\nhr October 2017 November 2017\r\nmaj October 2017 June 2019\r\nmmh July 2017 Currently active\r\nmsd June 2017 Currently active\r\ngrt June 2017 September 2019\r\nFigure 1 – Domestic Kitten Campaign list\r\nFurBall uses a large variety of covers to mask its malicious intentions. A few prominent covers include:\r\nVIPRE Mobile Security – A fake mobile security application.\r\nISIS Amaq – A news outlet for the Amaq news agency.\r\nExotic Flowers – A repackaged version of a game from Google Play.\r\nMyKet – An Android application store.\r\nIranian Woman Ninja – A wallpaper application.\r\nIn the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant “Mohsen Restaurant” which is\r\nlocated in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version\r\nof ‘Exotic Flowers’ from Google Play.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 2 of 17\n\nFigure 2 – FurBall Mohsen ;hass’\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 3 of 17\n\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 4 of 17\n\nFigure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover\r\nA full list of the covers is provided in Appendix 1 – FurBall Covers.\r\nThe methods used to deliver FurBall applications to victims also varies from one campaign to another. In some\r\ncampaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site\r\nhosted the payload.  In another campaign, we assume that the application was shared in a Telegram channel.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 5 of 17\n\nFigure 4 – The Iranian blog hosting FurBall\r\nWe were able to identify victims of the Domestic Kitten operation from various places around the globe, including\r\nIran, the United States, Great Britain, Pakistan, Afghanistan, Turkey, and more.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 6 of 17\n\nFigure 5 – Victims distribution by Country\r\nFigure 6 – Successful attacks by date and campaign\r\nWe traced 2 unique IPs that connected to the malware’s C\u0026C server. We assume that those IPs are used to send\r\ninstructions to the server: 94.182.215.98 and 188.158.60.100. According to ip2location.com, both IPs reside in\r\nIran, the first in Tehran, and the second in Karaj.\r\nFigure 7 – IP2Location’s output\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 7 of 17\n\nFurBall – Technical Analysis\r\nUpon execution, the first thing Furball does is to allow execution of the application on the device startup. To\r\nachieve this, FurBall starts its code on a receiver that listens for the BOOT_COMPLETED event, which in turn\r\ncalls to the ‘startService’ method to initiate everything that is needed for the malware’s functionality.\r\nFigure 8 – BOOT_COMPLETED receiver\r\nFigure 9 – The startService method\r\nIn addition, this piece of code also initializes a ‘settings’ object, which contains the configuration for FurBall:\r\nwhich C\u0026C to connect to, another back-up C\u0026C address, flags to allow functionality, frequency for C\u0026C pulling\r\ncommands, and more.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 8 of 17\n\nFigure 10 – FurBall configuration\r\nAfter initialization, FurBall creates 3 threads.\r\nThe first periodically sends media files such as videos, photos, and call records to the server, with a default\r\nfrequency of every 20 seconds. The remaining 2 threads are keep-alive threads that communicate with \u003cC\u0026C\r\nAddress\u003e/\u003ccampaign\u003e/answer.php. We assume this allows the threat actors to see which devices are currently\r\nactive.\r\nThe next step for FurBall is to initialize the Command Manager. This component pulls commands from the C\u0026C\r\nby requesting the \u003cC\u0026C\u003e/\u003ccampaign\u003e/get-function.php and awaits commands. Each command is delimited by\r\nthe “===”string, and the arguments are delimited by the “~~~” string.\r\nCommand Action\r\nNoCommand No command.\r\nTime Gets device local time.\r\nSet\r\nSets a configuration parameter given as the first argument, to a specific value\r\ngiven as the second argument.\r\nGet\r\nGets data given as an argument from the infected device. The list below includes\r\nall possible Get arguments.\r\nGet~~~AllLog Gets log files\r\nGet~~~AllNotif Gets all notifications\r\nGet~~~AllContact Gets all contacts.\r\nGet~~~AllFile Gets the names of all files on the device from the SD card root.\r\nGet~~~AllSms Gets all SMS.\r\nGet~~~AllCall Gets call logs.\r\nGet~~~AllApp Gets a list of all installed applications on the device.\r\nGet~~~AllBrowser Gest all browsing history.\r\nGet~~~AllAccount Gest a list of all user accounts stored on the device.\r\nGet~~~AllSettings Gets the settings for FurBall.\r\nGet~~~Location Gets the current location of the device.\r\nGet~~~HardwareInfo Gets hardware information on the device.\r\nGet~~~File Gets a specific file and upload it to \u003cC\u0026C\u003e/\u003ccampaign\u003e/upload-file.php\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 9 of 17\n\nTake\r\nAllows the actor to perform actions on the device itself. The list below shows all\r\npossible arguments for the Take command.\r\nTake~~~Audio Starts audio recording with the microphone for a given amount of time.\r\nTake~~~Video\r\nStarts a video recording using camera ID specified as a parameter for a given\r\namount of time.\r\nTake~~RecordCall Starts recording calls from this point on.\r\nDelete~~~SMS Deletes all SMS from the “HiddenNumber” parameter in the configuration.\r\nDelete~~~Call Deletes all calls from the “HiddenNumber” parameter in the configuration.\r\nDelete~~~File Deletes files from provided paths.\r\nReset~~~AllCommand Deletes all logs and media files, resets to a “default” configuration.\r\nFigure 11 – FurBall possible commands\r\nFigure 12 – the Command Manager listening for commands\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 10 of 17\n\nFigure 13 – Command Manager parsing commands\r\nAfter all initializations, it’s time to start collecting the initial data on the device. FurBall collects the following\r\ndata on startup:\r\nHardware Information\r\nContacts\r\nCall logs\r\nAccounts\r\nBrowser history\r\nFile list on the SD card\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 11 of 17\n\nFigure 14 – the sendStartup method\r\nAfter collecting initial data on the device, FurBall initialize two other components. The first one is a clipboard\r\nmonitor which monitors the clipboard content (where data is stored when it’s “copied”), and the other collects info\r\nabout the top-most application’s activity.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 12 of 17\n\nFigure 15 – Clipboard monitor\r\nFigure 16 – Top-most application monitor\r\nThe last significant component that is used by FurBall is the Notification Observer Service, a service that is based\r\non the NotificationListenerService and allows FurBall to access all notifications received by the device.\r\nFigure 17 – NotificationObserverService\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 13 of 17\n\nWhile investigating the new version of Domestic Kitten’s FurBall, we noticed that FurBall is actually based on a\r\ncommercially available parental control software called KidLogger . As FurBall shares a lot of infrastructure code\r\nwith KidLogger, it seems that the developers used the KidLogger source-code available on github.\r\nA few noticeable differences between KidLogger and FurBall:\r\nFurBall has a configuration update mechanism that is not present in KidLogger.\r\nFurBall is based on plain threads, while KidLogger is based on services.\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 14 of 17\n\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 15 of 17\n\nFigure 18 – Code similarity between FurBall and KidLogger\r\nDemo\r\nWe were able to mimic the command and control server’s behavior and provide a potential use-case against a\r\nfictional target.\r\nhttps://www.youtube.com/watch?v=lpsS3g0xZIU\u0026feature=youtu.be\r\nHow to protect yourself\r\nCheck Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest\r\nrange of capabilities to help you secure your mobile workforce.\r\nSandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious\r\napplications and applications with malware embedded in them.\r\nLearn more.\r\nAppendix 1 – FurBall Covers:\r\nPackage name Cover\r\ncom.intense.pub1.sbgs Islamic Caliphate\r\ncom.clem.isisnews ISIS News Watch\r\ncom.majorityapps.exoticflowers Repacked “Exotic Flowers” from Google Play.\r\ncom.ssd.vipre Fake security product\r\ncom.apps.amaq Amaq News Agency Application\r\nair.com.arsnetworks.poems.moshiri Persian poems\r\nair.com.arsnetworks.poems.sohrab Persian poems\r\ncom.nidayehaq Religious application\r\ncom.ramadan.kareem.app Ramadan Pictures\r\nir.hukmi.moanzalalloh “Judgment by what Alla has revealed”\r\norg.microemu.android.ir.mjface.toolkit.Midlet “Omar Farouq”\r\ncom.hamgaam.shahnamef “The Book of Kings”\r\nir.korosh.kabir “Cyrus the Great”\r\nir.hawijapp.myhafez Persian poems\r\ncom.kabood.koroshkabir “Cyrus the Great”\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 16 of 17\n\ncom.andriod.browser Fake “mobile secured browser”\r\nir.mservices.market Application market for Android\r\ncom.mohsen Mohsen restaurant mimic\r\nAppendix 2 – IOCs:\r\nb1df569ad4686e16ec0c661733d56778f59cdb78207a3c2ad66df9b9828c84ab\r\n68a1452172636b081873b9f7c1ae3794035c4ff50d5538b656caf07016b74d07\r\n02d6ca25b2057f181af96d2837486b26231eaa496defdf39785b5222014ef209\r\n290d70472f4b00a1cf01f5c1311aacffaa39057bb1c826c99419999ccef7ae53\r\n039fc34ace1012eff687f864369540b9085b167f0d66023f3b94f280a7fdf8b7\r\n7f603216a0a7bae2c8cec65a800608ac22cfff8cd98c699677e44d36267a9798\r\n54479fbb2f3c8c16714e526925537e738b1b586310c8d15ce10f33327392e879\r\nd90168d1f3568b5909d2e14288300ede298f6c663b51e883e7eb5d8d70277423\r\nccef7ca705b899fe337eda462d38216c414c0cfe41052dec102c8f6d8876ad8a\r\n8324266e25d6a8dbc6e561e035b9e713c3bd339ba9bb5e5b9d4f0821a0262510\r\n3d41830f943c31f69eb6ed7804cc18b289ba2172d258bd118a8503d120318d63\r\n53e00f1e8d2d6aa2d8a0eda2bf2d924fbc6f67db12ac3238d7c4b4520de7fadc\r\nca730b8b355e44919629a958d940e77eb1b4cd0c1bbe2ab94a963222f2723f57\r\nf1728125f37ca8738b19b418a3fe896e9bdcde5aed6559db3eea55f4e17602c4\r\n5787723b2221464337e6bbe4200aab912f1f711447224e4e6c4c96c451ff41bf\r\ne069bcd473c83b937db46243dd53e8856b5be6d0ade880c0ec61107054a7e32e\r\n48d642c2c77eeabff36249c59ce397a9ee5f3d825d735f839c5c05939499406e\r\n1dc12c6a44852023f1687f9f31a9e58dc7ce96d492a58a3e87dec5aa8f45ba92\r\n4580980a6fb65ea1501464d36306c24d341189e84500562c5a3ac844f9a79525\r\na5b5f6027b463d82fded3c38153086d5accc466df33123070ea541e62124b943\r\na3797856766fef6651f8c679febd12378fc3196c5cc74923d90377045107700d\r\n9156f5bd322306c9038a3bc830e53e7b13c272e121fb70b3b8d7d9968fb97e4f\r\n88d03e683c01d9979c752844579bd367892edbbdc876b03df8e1d09412f761c5\r\nbd7779e6100e07b3eae67bfcdc53f1f08468651240229e284cca60e2b953496b\r\n62a48bcb2d2f22017ce67b853654903464c19892a07a3c0ca020048cb049f0cd\r\ne7a6925f0fe03108b965a3cf9f2fe1204add376ecde68bafd872e9d828d762e9\r\n53ed971b48ae0b2ff6bcdd7bf4e8970d6eac3e7cdcd3ae6fa05860b9e5ac58ee\r\nfirmwaresystemupdate[.]com\r\nappsoftupdate[.]com\r\nSource: https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nhttps://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" ], "report_names": [ "domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations" ], "threat_actors": [ { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434046, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3a2d495f4aa295790b967320667d1a3ebe7f7ba.pdf", "text": "https://archive.orkl.eu/b3a2d495f4aa295790b967320667d1a3ebe7f7ba.txt", "img": "https://archive.orkl.eu/b3a2d495f4aa295790b967320667d1a3ebe7f7ba.jpg" } }