{
	"id": "88d45593-93d8-4b12-8ebf-168c59c9b207",
	"created_at": "2026-04-06T00:06:07.903662Z",
	"updated_at": "2026-04-10T03:37:55.903565Z",
	"deleted_at": null,
	"sha1_hash": "d98d2a6fac85b932d560d7a7c1351fa2336dab2e",
	"title": "Rocket Kitten, Newscaster, NewsBeef - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72807,
	"plain_text": "Rocket Kitten, Newscaster, NewsBeef - Threat Group Cards: A\r\nThreat Actor Encyclopedia\r\nArchived: 2026-04-05 17:30:08 UTC\r\nHome \u003e List all groups \u003e Rocket Kitten, Newscaster, NewsBeef\r\n APT group: Rocket Kitten, Newscaster, NewsBeef\r\nNames\r\nRocket Kitten (CrowdStrike)\r\nNewscaster (Symantec)\r\nNewsBeef (Kaspersky)\r\nGroup 83 (Talos)\r\nParastoo (Flashpoint)\r\nCountry Iran\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription (Kaspersky) Newsbeef/Newscaster will find a way to compromise a web site,\r\nusually the vulnerability appears to be CMS related, in an outdated WordPress\r\nplugin, Joomla version, or Drupal version. Attackers usually perform one of two\r\nthings, Newsbeef has been performing the first of the two:\r\n- inject a src or iframe link into web pages or css sheets\r\n- inject the content of an entire BeEF web page into one of the internally linked\r\njavascript helpers\r\nThe injected link will redirect visitors’ browsers to a BeEF server. Usually, the\r\nattackers deliver some of the tracking and system/browser identification and\r\nevercookie capabilities. Sometimes, it appears that they deliver the metasploit\r\nintegration to exploit and deliver backdoors (we haven’t identified that exploitation\r\nactivity in our ksn data related to this group just yet). Sometimes, it is used to pop up\r\nspoofed login input fields to steal social networking site credentials. We also haven’t\r\ndetected that in ksn, but some partners have privately reported it about various\r\nincidents. But we have identified that attackers will redirect specific targets to laced\r\nAdobe Flash and other installers from websites that they operate.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3\r\nPage 1 of 3\n\nSo, the watering hole activity isn’t always and usually isn’t delivering backdoors.\nMost of the time, the watering hole injections are used to identify and track visitors\nor steal their browser history. Then, they deliver the backdoors to the right targets.\nThere is some infrastructure overlap with Magic Hound, APT 35, Cobalt Illusion,\nCharming Kitten and ITG18.\nObserved\nSectors: Construction, Defense, Education, Embassies, Entertainment, Government,\nManufacturing, Media.\nCountries: Algeria, Brazil, China, Germany, India, Israel, Japan, Kazakhstan,\nRomania, Russia, Turkey, UK, Ukraine, USA.\nTools used BeEF, FireMalv, Ghole.\nOperations performed\n2011\nOperation “Newscaster”\nThe research firm iSight dubbed the operation Newscaster and said\nhackers used social-media sites like Twitter, Facebook and LinkedIn to\ndraw their targets and then lure them to check out a bogus news site,\nNewsOnAir.org, filled with foreign policy and defense articles, The\nPost reported.\nThe overall aim is that the social-media platform would give the\nhackers connections with those at the top of public policy — and\nposition them to tap into that information network.\nFeb 2015\nOperation “Woolen-GoldFish”\nFeb 2016\nIn late February 2016, a University website in Iran stood out for\nthoroughly vetting its current and potential students and staff. The\nUniversity’s web site served repackaged content from the Browser\nExploitation Framework (BeEF) with embedded JavaScript content.\n2017\nFake news website BritishNews to infect visitors\nOn the same note, we identified a fake-news agency “established” by\nthe attackers, called “The British news agency” or “Britishnews”\n(inspired by BBC). Its website domain is britishnews.com[.]co and two\nother domains, broadcastbritishnews[.] ommand britishnews[.]org\nredirected to it.\n2017 Blackmailing BBC reporter with ‘naked photo’ threats\nIranian agents blackmailed a BBC Persian journalist by threatening to\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3\nPage 2 of 3\n\npublish revealing photos of her as part of a wider campaign against the\nBritish media outlet, staff at the broadcaster told Arab News.\nNew details emerged on Saturday about alleged harassment of BBC\nPersian reporters’ family members and loved ones at the hands of the\nIranian security services.\nInformation\nLast change to this card: 13 September 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3"
	],
	"report_names": [
		"showcard.cgi?u=5fea3af9-45a6-4cfd-b1dd-1411f19f34c3"
	],
	"threat_actors": [
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70",
			"created_at": "2022-10-25T16:07:23.745406Z",
			"updated_at": "2026-04-10T02:00:04.734764Z",
			"deleted_at": null,
			"main_name": "ITG18",
			"aliases": [],
			"source_name": "ETDA:ITG18",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b0261705-df2e-4156-9839-16314250f88a",
			"created_at": "2023-01-06T13:46:38.373617Z",
			"updated_at": "2026-04-10T02:00:02.947842Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Operation Woolen-Goldfish",
				"Thamar Reservoir",
				"Timberworm",
				"TEMP.Beanie",
				"Operation Woolen Goldfish"
			],
			"source_name": "MISPGALAXY:Rocket Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8faa11f5-2a14-479c-9ea8-3779e6de9749",
			"created_at": "2022-10-25T15:50:23.814205Z",
			"updated_at": "2026-04-10T02:00:05.308465Z",
			"deleted_at": null,
			"main_name": "Ajax Security Team",
			"aliases": [
				"Ajax Security Team",
				"Operation Woolen-Goldfish",
				"AjaxTM",
				"Rocket Kitten",
				"Flying Kitten",
				"Operation Saffron Rose"
			],
			"source_name": "MITRE:Ajax Security Team",
			"tools": [
				"sqlmap",
				"Havij"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775792275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d98d2a6fac85b932d560d7a7c1351fa2336dab2e.pdf",
		"text": "https://archive.orkl.eu/d98d2a6fac85b932d560d7a7c1351fa2336dab2e.txt",
		"img": "https://archive.orkl.eu/d98d2a6fac85b932d560d7a7c1351fa2336dab2e.jpg"
	}
}