{ "id": "8c250b80-0e21-4d8f-ad14-25c2192c53ab", "created_at": "2026-04-06T01:30:37.840047Z", "updated_at": "2026-04-10T03:34:15.522229Z", "deleted_at": null, "sha1_hash": "e3edfb34dfbcda99fa00625e2696f09dc368d8fe", "title": "Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70125, "plain_text": "Jerusalem Post and other Israeli websites compromised by Iranian\r\nthreat agent CopyKitten – ClearSky Cyber Security\r\nPublished: 2017-03-30 · Archived: 2026-04-06 00:46:31 UTC\r\nOn 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website\r\nof Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google\r\ntranslation of the statement:\r\n“After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established\r\nfor government networks have also been adopted by the German Bundestag for its own networks. Since the\r\nbeginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the\r\nGerman Bundestag, due to the network traffic of the German Bundestag. At the request of the German\r\nBundestag the BSI analyzed these problems in network traffic. The technical analyzes have been completed.\r\nThe website of the Jerusalem Post was manipulated and linked to a harmful third party. Within the framework\r\nof the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the\r\nBSI.”\r\nAs part of our monitoring of Iranian threat agents activities, we have detected that since October 2016 and until\r\nthe end of January 2017, the Jerusalem Post, as well as multiple other Israeli websites and one website in the\r\nPalestinian Authority were compromised by Iranian threat agent CopyKittens.  Based on the time-frame and\r\nnature of the compromises, we estimate with high certainty that the statement by German Federal Office for\r\nInformation Security refers to the same incidents.\r\nWatering hole attacks\r\nIn each of the compromised websites, the attackers inserted a single line of Javascript code into an existing\r\nJavascript library (a local library, loaded from the server hosting the compromised website). This code loaded\r\nfurther Javascript from a malicious domain owned by the attackers:\r\njguery[.]net\r\nSpecifically from this URL: https://js.jguery[.]net/jquery.min.js\r\nNote that the domain is intentionally impersonating jquery.com, a legitimate and unrelated domain used by Jquery,\r\none of the most prevalent Javascript libraries.\r\nBelow are screenshots of infected website’s source code showing jguery[.]net being loaded (click images to\r\nenlarge).\r\nJerusalem post website (www.jpost.com):\r\nhttps://www.clearskysec.com/copykitten-jpost/\r\nPage 1 of 5\n\nMaariv – website of a national daily newspaper published in Israel (www.maariv.co.il)\r\nThe Israeli Defense Force Disabled Veterans Organization website (inz.org.il)\r\nhttps://www.clearskysec.com/copykitten-jpost/\r\nPage 2 of 5\n\nThe Palestinian Ministry of Health (www.moh.gov.ps)\r\n(loaded a from a similar malicious domain – jguery[.]online):\r\nThe student personal info log-in page of Tel Aviv University (www.ims.tau.ac.il)\r\nThis was captured by PassiveTotal as can be seen in the screenshot below or in the following analysis page:\r\nhttps://passivetotal.org/search/jguery.net.\r\nhttps://www.clearskysec.com/copykitten-jpost/\r\nPage 3 of 5\n\nBy the time we examined the website the malicious code was removed.\r\nJavascript payload\r\nAs can be seen in this public analysis, the malicious Javascript payload loaded from jguery[.]net and\r\njguery[.]online was BeEF, The Browser Exploitation Framework Project, an open source “penetration testing tool\r\nthat focuses on the web browser”.\r\nThe Javascript payload was not served to each and every visitor of the infected websites. Based on our\r\nanalysis and other indications, we estimate that the attackers used whitelisting, likely based on source IP.  This\r\nmeans that only specific targets would be effected and potentially compromised. However, because we did not\r\nhave access to the servers hosting the malicious Javascript payload, we do not know what was the exact logic for\r\nit being served.\r\nSource of the compromise?\r\nWhile monitoring online hacking communities, we identified that in October 2016 an actor sold access to the\r\nmanagement panel of a server belonging to an Israeli hosting company. This server hosted the Jerusalem Post and\r\nMaariv, among other websites.\r\nWe estimate with medium certainty, that the attackers bought  access to the server in order to deploy the malicious\r\ncode.\r\nIndicators of compromise\r\nIndicators file:  copykittens-indicators-March-2017.csv (also available on PassiveTotal).\r\nOther parts of this campaign were revealed recently by Domaintools.\r\nDomains in use by CopyKittens:\r\nhttps://www.clearskysec.com/copykitten-jpost/\r\nPage 4 of 5\n\n1e100[.]tech\r\n1m100[.]tech\r\nads-youtube[.]online\r\nakamaitechnology[.]com\r\nalkamaihd[.]net\r\nazurewebsites[.]tech\r\nbroadcast-microsoft[.]tech\r\nchromeupdates[.]online\r\ncloudmicrosoft[.]net\r\ndnsserv[.]host\r\nelasticbeanstalk[.]tech\r\nfdgdsg[.]xyz\r\njguery[.]net\r\njguery[.]online\r\njs[.]jguery[.]online\r\nmicrosoft-ds[.]com\r\nmicrosoft-security[.]host\r\nnameserver[.]win\r\nnewsfeeds-microsoft[.]press\r\nowa-microsoft[.]online\r\nprimeminister-goverment-techcenter[.]tech\r\nqoldenlines[.]net\r\nsharepoint-microsoft[.]co\r\nssl-gstatic[.]online\r\nstatic[.]primeminister-goverment-techcenter[.]tech\r\ntrendmicro[.]tech\r\nSource: https://www.clearskysec.com/copykitten-jpost/\r\nhttps://www.clearskysec.com/copykitten-jpost/\r\nPage 5 of 5\n\n https://www.clearskysec.com/copykitten-jpost/ \nMaariv-website of a national daily newspaper published in Israel (www.maariv.co.il)\nThe Israeli Defense Force Disabled Veterans Organization website (inz.org.il)\n Page 2 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.clearskysec.com/copykitten-jpost/" ], "report_names": [ "copykitten-jpost" ], "threat_actors": [ { "id": "9fb19abe-4035-4f22-a595-641b7f3443a9", "created_at": "2022-10-25T15:50:23.748944Z", "updated_at": "2026-04-10T02:00:05.395401Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens" ], "source_name": "MITRE:CopyKittens", "tools": [ "Cobalt Strike", "TDTESS", "Matryoshka" ], "source_id": "MITRE", "reports": null }, { "id": "f4557ed9-2455-44c5-a768-dfb80ccae259", "created_at": "2023-01-06T13:46:38.652329Z", "updated_at": "2026-04-10T02:00:03.055638Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "Slayer Kitten", "G0052" ], "source_name": "MISPGALAXY:CopyKittens", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439037, "ts_updated_at": 1775792055, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3edfb34dfbcda99fa00625e2696f09dc368d8fe.pdf", "text": "https://archive.orkl.eu/e3edfb34dfbcda99fa00625e2696f09dc368d8fe.txt", "img": "https://archive.orkl.eu/e3edfb34dfbcda99fa00625e2696f09dc368d8fe.jpg" } }