{ "id": "05699804-9f3c-497a-8908-791d26390885", "created_at": "2026-04-06T00:22:02.72214Z", "updated_at": "2026-04-10T03:34:16.41923Z", "deleted_at": null, "sha1_hash": "e63e00a32cc778edafc814020c9e74bea23dddf5", "title": "Domestic Kitten: An Iranian Surveillance Operation - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113124, "plain_text": "Domestic Kitten: An Iranian Surveillance Operation - Check Point\r\nResearch\r\nBy deugenio\r\nPublished: 2018-09-07 · Archived: 2026-04-05 20:02:22 UTC\r\nChinese strategist Sun Tzu, Italian political philosopher Machiavelli and English philosopher Thomas Hobbes all\r\njustified deceit in war as a legitimate form of warfare. Preceding them all, however, were some in the Middle East\r\nwho had already internalized and implemented this strategy to great effect, and continue to do so today.\r\nRecent investigations by Check Point researchers reveal an extensive and targeted attack that has been taking\r\nplace since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards\r\ntheir targets. Through the use of mobile applications, those behind the attack use fake decoy content to entice their\r\nvictims to download such applications, which are in fact loaded with spyware, to then collect sensitive\r\ninformation about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most\r\ninteresting of all, though, is that all these targets are actually Iranians citizens.\r\nWhat Information is Collected?\r\nConsidering the nature of the target, the data collected about these groups provides those behind the campaign\r\nwith highly valuable information that will no doubt be leveraged in further future action against them. Indeed, the\r\nmalware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS\r\nmessages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and\r\nmore.\r\nWho is Behind the Attack?\r\nWhile the exact identity of the actor behind the attack remains unconfirmed, current observations of those\r\ntargeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian\r\norigin. In fact, according to our discussions with intelligence experts familiar with the political discourse in this\r\npart of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry\r\nof Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups.\r\nIndeed, these surveillance programs are used against individuals and groups that could pose a threat to stability of\r\nthe Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and\r\nthe Kurdish minority settled mainly in Western Iran.\r\nWhile our investigation is still in progress, the research below reveals the full extent of these targeted attacks, its\r\ninfrastructure and victims and the possible political story behind it. In the meantime, we have dubbed this\r\noperation ‘Domestic Kitten’ in line with the naming of other Iranian APT attacks.\r\nData Collection via Mobile Applications\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 1 of 10\n\nVictims are first lured into downloading applications which is believed to be of interest to them. The applications\r\nour researchers discovered included an ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news\r\nagency and a fake version of the messaging app, Vidogram.\r\nRegarding the ISIS-themed application, its main functionality is setting wallpapers of ISIS pictures, and therefore\r\nseems to be targeting the terror organization’s advocates. Curiously, its Arabic name is grammatically incorrect\r\n.(“دولة الخالفة االسالمیة” be instead should which ,”دولة خالفة االسالمیة”)\r\n \r\nFigure 1: The application offering Isis-related wallpapers.\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 2 of 10\n\nFigure 2: ANF News Agency website, on which the decoy app is based.\r\nWith regards to the ANF News Agency app, while ANF is a legitimate Kurdish news website its app has been\r\nfabricated by the attackers to pose as the legitimate app in order to deceive their targets.\r\nDue to the names and content that is offered by the above mentioned applications then, we are lead to believe that\r\nspecific political groups and users, mainly ISIS supporters and the Kurdish ethnic group, are targeted by the\r\noperation.\r\nHowever, when most of the victims are actually Iranian citizens, it raises more pertinent questions about who may\r\nbe behind the attack.  Due to the attack infrastructure, reviewed below, and its consistency with previous\r\ninvestigations of state-sponsored Iranian operations covered by Check Point researchers, we were led to believe\r\nthat Iranian government agencies may well be behind the campaign.\r\nTechnical Analysis\r\nA closer look at each of the applications used in the campaign show them to have the same certificate that was\r\nissued in 2016. This certificate is associated with the e-mail address ‘telecom2016@yahoo[.]com’, as seen below.\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 3 of 10\n\nFigure 3: Attack applications certificate uses the same email address ‘telecom2016@yahoo[.]com’\r\nUnfortunately not much is known about this e-mail address, as it was not used to register any domain names or to\r\nlaunch attacks in the past.\r\nAnother unique characteristic of the applications used, though, is that all of the samples analyzed have several\r\nclasses that are under a misspelled package name, “andriod.browser”.\r\nFigure 4: The malicious applications’ classes.\r\nThese classes are seen to be in charge of data exfiltration, collecting sensitive information from the victim’s\r\ndevice. Such information includes:\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 4 of 10\n\nSMS/MMS messages\r\nphone calls records\r\nContacts list\r\nBrowser history and bookmarks\r\nExternal storage\r\nApplication list\r\nClipboard content\r\nGeo-location and camera photos\r\nInterestingly, they also collect surrounding voice recordings.\r\nFigure 5: Examples of the malicious code.\r\nAll of the stolen data is then send back to C\u0026C servers using HTTP POST requests.\r\nAdditionally, one of the applications contacts firmwaresystemupdate[.]com, a newly registered website that was\r\nseen to resolve to an Iranian IP address at first, but then switched to a Russian address.\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 5 of 10\n\nFigure 6: One of the decoy applications contact firmwaresystemupdate[.]com\r\nThe rest of the applications contact IP addresses directly, which unlike the previous domain, are base64 encoded\r\nand XORed:\r\nFigure 7: The C\u0026C decoding.\r\nAlthough these IP addresses were contacted directly, they are newly registered domains that resolve to each of the\r\nIP addresses and they all follow the same pattern of a first name-surname naming convention:\r\nStevenwentz[.]com\r\nRonaldlubbers[.]site\r\nGeorgethompson[.]space\r\nEach victim then receives a unique device UUID (a UUID is the encoded value of device’s android_id), which\r\nappears at the beginning of each log that is sent back to the attacker, with the title of each log having the same\r\nstructure: UUID_LogDate_LogTime.log.\r\nWhen a log is created for a victim, some basic information is then collected and documented prior to the logging\r\nof phone call details. In addition, all the logs use a unique delimiter “~~~” to separate between the fields of the\r\nstolen data:\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 6 of 10\n\nFigure 8: SMS log example.\r\nThe different classes then collect relevant data, and add them to such a log that is then zipped. Afterwards, the\r\narchive is encrypted using AES, with the device UUID as the encryption key, as seen in the below code:\r\nFigure 9: The application’s encryption method.\r\nThis information is collected and sent back to C\u0026C servers when the command is received from the attacker.\r\nThese commands also follow the same structure as the log, as it uses the same delimiter, and can include things\r\nsuch as “Get File”, “Set Server”, “Get Contacts” and more:\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 7 of 10\n\nFigure 10: Example of commands sent from the server.\r\nAs a result of all the above, this glance into inner working of this attack infrastructure therefore allowed us to form\r\na precise idea about how wide this attack is and the victims targeted.\r\nVictim Distribution \r\nHaving analyzed the full extent of the operation, as well as some extensive information about the attacked devices\r\nand the log files collected, we understood that around 240 users have so far fallen victim to this surveillance\r\ncampaign.\r\nIn addition, due to careful documentation of the campaign by its creators showed we were able to learn that over\r\n97% of its victims are Iranian, consistently aligning with our estimation that this campaign is of Iranian origin.\r\nIn addition to the Iranian targets discovered, we also found victims from Afghanistan, Iraq and Great Britain.\r\nInterestingly, the log documentation includes the name of the malicious application used to intercept the victims’\r\ndata, as well as an Application Code Name field.\r\nThis field includes a short description of the app, which leads us to believe that this is a field used by the attackers\r\nto instantly recognize the application used by the victim. Observed code names includes ‘Daesh4’ (ISIS4),\r\n‘Military News’, ‘Weapon2’, ‘Poetry Kurdish’.\r\nBelow is a visualization of the attacked devices and mobile vendors that were documented in the logs:\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 8 of 10\n\nFigure 11: A breakdown of attacked devices and mobile vendors.\r\nWhile the number of victims and their characteristics are detailed above, the number of people affected by this\r\noperation is actually much higher. This is due to the fact that the full contact list stored in each victim’s mobile\r\ndevice, including full names and at least one of their phone numbers, was also harvested by the attackers.\r\nIn addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers,\r\nthe private information of thousands of totally unrelated users has also been compromised.\r\n————————————————————————————————————————-\r\nCheck Point’s Mobile solutions can protect against this type of attack. For enterprises, read more about Check\r\nPoint’s Sand Blast Mobile, and for consumers Check Point’s Zone Alarm Mobile, to learn how you can protect\r\nyour device from malicious and invasive mobile malware.\r\nWe wish to thank Dr. Raz Zimmt, an expert on Iran at the Institute for National Security Studies (INSS), for his\r\nilluminating insights.\r\nIndicators of Compromise\r\nc168f3ea7d0e2cee91612bf86c5d95167d26e69c\r\n0fafeb1cbcd6b19c46a72a26a4b8e3ed588e385f\r\nf1355dfe633f9e1350887c31c67490d928f4feec\r\nd1f70c47c016f8a544ef240487187c2e8ea78339\r\n162[.]248[.]247[.]172\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 9 of 10\n\n190[.]2[.]144[.]140\r\n190[.]2[.]145[.]145\r\n89[.]38[.]98[.]49\r\nFirmwaresystemupdate[.]com\r\nStevenwentz[.]com\r\nRonaldlubbers[.]site\r\nGeorgethompson[.]space\r\nSource: https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nhttps://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/" ], "report_names": [ "domestic-kitten-an-iranian-surveillance-operation" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e63e00a32cc778edafc814020c9e74bea23dddf5.pdf", "text": "https://archive.orkl.eu/e63e00a32cc778edafc814020c9e74bea23dddf5.txt", "img": "https://archive.orkl.eu/e63e00a32cc778edafc814020c9e74bea23dddf5.jpg" } }