{ "id": "d0066042-f2a7-47f2-87de-356eda3ce596", "created_at": "2026-04-06T00:14:09.435205Z", "updated_at": "2026-04-10T03:37:37.15665Z", "deleted_at": null, "sha1_hash": "c677172c90e33587938c53b2c89f74120446be1d", "title": "Helix Kitten | Threat Actor Profile | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64818, "plain_text": "Helix Kitten | Threat Actor Profile | CrowdStrike\r\nBy AdamM\r\nArchived: 2026-04-05 18:39:30 UTC\r\nHELIX KITTEN is likely an Iranian-based adversary group, active since at least late 2015, targeting\r\norganizations in the aerospace, energy, financial, government, hospitality and telecommunications business\r\nverticals. This adversary group is most commonly associated with a custom PowerShell implant identified as\r\nHelminth. The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents\r\nrequiring user interaction to execute an obfuscated Visual Basic Script. Additionally, HELIX KITTEN actors\r\nhave shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant\r\nto the interests of targeted personnel. In some instances, spear-phishing messages have been sent from\r\ncompromised accounts of organizations related to the target to further enhance credibility. Information technology\r\n(IT) and corporate infrastructure is a common theme of HELIX KITTEN spear-phishing messages. In addition to\r\nHelminth, the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in\r\nthe Middle East region. There are several infrastructure overlaps between ISMDoor and ISMAgent, a tool used\r\nexclusively by HELIX KITTEN. The implementation of the DNS transport layer protocol is very similar in both\r\nISMDoor and ISMAgent. ISMDoor is able to exfiltrate data, take screenshots, and execute arbitrary commands on\r\nthe victim’s machine. Command and control (C2) is performed through a covert channel based on DNS AAAA\r\nrecords. The actor uses dedicated domains to host their C2 infrastructure, as the C2 protocol requires full control\r\nover the authoritative DNS server to work. During the summer of 2018, HELIX KITTEN actors were observed\r\ntargeting entities in the Middle East — of note, targets appeared to be located in Bahrain and Kuwait. These\r\nincidents involved spear-phishing attacks, which characteristic of HELIX KITTEN, included emails containing\r\nmalicious PowerShell in their macros that connects to known C2 infrastructure. In early November 2018,\r\nCrowdStrike® Falcon OverWatch™ observed activity from the HELIX KITTEN adversary at a customer in the\r\ntelecommunications vertical. While the adversary leveraged known tooling as well as tactics, techniques, and\r\nprocedures (TTPs), this activity represented a shift in targeting that could allow HELIX KITTEN to support\r\nmultiple objectives. HELIX KITTEN’s operations against organizations in the telecommunications industry could\r\nallow this adversary to conduct bulk data collection of large amounts of communications data that could be later\r\nleveraged in additional intelligence activities. Targeting telecommunications can also allow the adversary to be\r\nable to reroute communications to adversary-controlled infrastructure for data collection or malware delivery. The\r\nultimate objective of this activity remains unclear at the time of this writing, but the addition of the\r\ntelecommunications sector to HELIX KITTEN’s target scope is a notable development. OilRig, Helminth,\r\nClayslide, APT34, IRN2 are community or industry names associated with this actor.\r\nOther Iranian-based Adversaries\r\nClever Kitten\r\nCurious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries\r\nthat the CrowdStrike team discovers.\r\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/\r\nPage 1 of 2\n\nAdditional Resources\r\nTo learn more about how to incorporate intelligence on threat actors like HELIX KITTEN into your\r\nsecurity strategy, please visit the Falcon threat intelligence product page.\r\nDownload the 2020 CrowdStrike Global Threat Report\r\nSource: https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/\r\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" ], "report_names": [ "meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "60c270f9-5aa8-41d5-850c-6003135c5815", "created_at": "2023-01-06T13:46:38.687298Z", "updated_at": "2026-04-10T02:00:03.068415Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "MISPGALAXY:Clever Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25bd25be-762c-404c-be9e-b11f074b34dd", "created_at": "2022-10-25T16:07:23.470771Z", "updated_at": "2026-04-10T02:00:04.621239Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "ETDA:Clever Kitten", "tools": [ "Acunetix Web Vulnerability Scanner", "RC SHELL" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c677172c90e33587938c53b2c89f74120446be1d.pdf", "text": "https://archive.orkl.eu/c677172c90e33587938c53b2c89f74120446be1d.txt", "img": "https://archive.orkl.eu/c677172c90e33587938c53b2c89f74120446be1d.jpg" } }