{ "id": "929ad053-4c28-4756-a7c3-9771ad16aa85", "created_at": "2026-04-06T00:07:31.616426Z", "updated_at": "2026-04-10T03:37:55.884855Z", "deleted_at": null, "sha1_hash": "cf3341fee4a3a2c2d4cd379fd6f0fd2217ee13bb", "title": "CrowdStrike Tracks Reported Iranian Actor as FLYING KITTEN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1046414, "plain_text": "CrowdStrike Tracks Reported Iranian Actor as FLYING KITTEN\r\nBy mattdahl\r\nArchived: 2026-04-05 13:12:43 UTC\r\nToday, our friends at FireEye released a report on an Iran-based adversary they are calling Saffron Rose.\r\nCrowdStrike Intelligence has also been tracking and reporting internally on this threat group since mid-January\r\n2014 under the name FLYING KITTEN, and since that time has seen targeting of multiple U.S.-based defense\r\ncontractors as well as political dissidents. Flying Kitten Targeted Intrusion FireEye’s report notes that this\r\nadversary’s targeted intrusion activity consists of credential theft and malware delivery individually. The FLYING\r\nKITTEN campaigns investigated by CrowdStrike Intelligence showed that the actor actually combines the two.\r\nFor example, the adversary will register a domain that spoofs the name of the targeted organization and then host a\r\nspoofed login page on that site.\r\n The page is used to steal\r\nlegitimate credentials, but once users enter the credentials, they are often redirected to a new page that prompts\r\nthem to download a “Browser Patch” or other similar type of file. The downloaded file is actually the Stealer\r\nmalware that exfiltrates stolen data to an FTP server. In addition to the aerospace/defense and dissident targeting,\r\nit also appears that FLYING KITTEN is also engaged in broader targeting via the website parmanpower\u003c.\u003ecom.\r\nThis website is registered via the same registrant email (info\u003c@\u003eusa.gov.us) and other Whois information as some\r\nof the other domains related to the activity discussed above. It purports to be the website of a business engaged in\r\nrecruiting, training, and development in Erbil, Iraq.\r\nhttps://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/\r\nPage 1 of 4\n\nNo malicious activity has been linked to this domain, however, the fact that it was registered under the same\r\nregistrant email at the same time as other FLYING KITTEN domains linked to malicious activity, it is likely that\r\nthe adversary is using this site for malicious purposes as well. The website does not appear to deliver any\r\nmalware, so its most likely purpose is to act as a credential-collection mechanism much like the spoofed Institute\r\nof Electrical and Electronics Engineers (IEEE) Aerospace Conference website (aeroconf2014\u003c.\u003eorg) the\r\nadversary used earlier this year. This spoofed recruiting company website could be used to target entities across a\r\nwide range of sectors. Attribution Attribution in this case is interesting, as the adversary appears to have made a\r\nmistake when registering its malicious domains. The registrant email that currently appears in the Whois records\r\nof some of the FLYING KITTEN domains is info\u003c@\u003eusa.gov.us, however historical records show that the\r\ndomains were originally registered under the email address keyvan.ajaxtm\u003c@\u003egmail.com.\r\nhttps://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/\r\nPage 2 of 4\n\nAs FireEye’s report notes, the keyvan.ajaxtm@gmail.com email address ties back to an Iran-based entity called\r\nAjax Security Team. Earlier this year, Ajax Security had an easily identifiable presence on the Internet with its\r\nown website and related Facebook pages.\r\nThis Internet presence has decreased significantly since early 2014, likely due to a desire to keep a lower profile\r\nnow that the group is engaged in targeted intrusion activity. The following Yara rules will provide detection for the\r\nadversary remote access toolkit and exfiltration tool: rule CrowdStrike_FlyingKitten : rat { meta:\r\ncopyright = \"CrowdStrike, Inc\" description = \"Flying Kitten RAT\" version = \"1.0\" actor = \"FLYING\r\nKITTEN\" in_the_wild = true strings: $classpath = \"Stealer.Properties.Resources.resources\"\r\n$pdbstr = \"\\Stealer\\obj\\x86\\Release\\Stealer.pdb\" condition: all of them and uint16(0) == 0x5A4D\r\nand uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) \u0026 0x2000 == 0 and\r\n((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) \u003e 0) or (uint16(uint32(0x3c)+24)\r\nhttps://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/\r\nPage 3 of 4\n\n== 0x020b and uint32(uint32(0x3c)+248) \u003e 0)) } rule CrowdStrike_CSIT_14003_03 : installer {\r\nmeta: copyright = \"CrowdStrike, Inc\" description = \"Flying Kitten Installer\" version = \"1.0\"\r\nactor = \"FLYING KITTEN\" in_the_wild = true strings: $exename = \"IntelRapidStart.exe\" $confname\r\n= \"IntelRapidStart.exe.config\" $cabhdr = { 4d 53 43 46 00 00 00 00 } condition: all of them }\r\nYou can use this rule with CrowdStrike's free CrowdResponse tool to easily scan your systems for presence of\r\nFLYING KITTEN. Interested in learning about other threat actors? Visit our threat actor center for details on\r\nnation-state and eCrime adversaries. If you have any questions about these signatures or want to hear more about\r\nFlying Kitten and their tradecraft, please contact:intelligence@crowdstrike.comand inquire about Falcon\r\nIntelligence, our Cyber Threat Intelligence subscription.\r\nSource: https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/\r\nhttps://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "report_names": [ "cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten" ], "threat_actors": [ { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434051, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf3341fee4a3a2c2d4cd379fd6f0fd2217ee13bb.pdf", "text": "https://archive.orkl.eu/cf3341fee4a3a2c2d4cd379fd6f0fd2217ee13bb.txt", "img": "https://archive.orkl.eu/cf3341fee4a3a2c2d4cd379fd6f0fd2217ee13bb.jpg" } }