{
	"id": "7516f322-6545-48eb-8146-b2acac892122",
	"created_at": "2026-04-06T00:17:56.107038Z",
	"updated_at": "2026-04-10T13:11:29.940882Z",
	"deleted_at": null,
	"sha1_hash": "f052fd8f9e4cdd9eadc993a4b172f84e085b7fee",
	"title": "CopyKittens, Slayer Kitten - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63263,
	"plain_text": "CopyKittens, Slayer Kitten - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:45:12 UTC\r\nHome \u003e List all groups \u003e CopyKittens, Slayer Kitten\r\n APT group: CopyKittens, Slayer Kitten\r\nNames\r\nCopyKittens (Trend Micro)\r\nSlayer Kitten (CrowdStrike)\r\nG0052 (MITRE)\r\nCountry Iran\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\nCopyKittens is an Iranian cyberespionage group that has been operating since at least\r\n2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S.,\r\nJordan, and Germany. The group is responsible for the campaign known as Operation\r\nWilted Tulip.\r\nObserved\r\nSectors: Defense, Education, Government, IT, Media.\r\nCountries: Germany, Israel, Jordan, Saudi Arabia, Turkey, USA.\r\nTools used Cobalt Strike, EmpireProject, Matryoshka RAT, TDTESS, Vminst, ZPP.\r\nOperations performed\r\n2013\r\nOperation “Wilted Tulip”\r\nIn this report, Trend Micro and ClearSky expose a vast espionage\r\napparatus spanning the entire time the group has been active. It includes\r\nrecent incidents as well as older ones that have not been publicly\r\nreported; new malware; exploitation, delivery and command and control\r\ninfrastructure; and the group’s modus operandi. We dubbed this activity\r\nOperation Wilted Tulip.\r\n\u003chttps://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf\u003e\r\n2015 CopyKittens has conducted at least three waves of cyber-attacks in the\r\npast year. In each of the attacks the infection method was almost identical\r\nand included an extraordinary number of stages used to avoid detection.\r\nAs with other common threat actors, the group relies on social\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a674fc23-26e8-4f6e-ba55-1a6ef4029878\r\nPage 1 of 2\n\nengineering methods to deceive its targets prior to infection.\nJan 2017\nBreach of the Israeli newspaper Jerusalem Post\nAs part of our monitoring of Iranian threat agents activities, we have\ndetected that since October 2016 and until the end of January 2017, the\nJerusalem Post, as well as multiple other Israeli websites and one website\nin the Palestinian Authority were compromised by Iranian threat agent\nCopyKittens.\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a674fc23-26e8-4f6e-ba55-1a6ef4029878\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a674fc23-26e8-4f6e-ba55-1a6ef4029878\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a674fc23-26e8-4f6e-ba55-1a6ef4029878"
	],
	"report_names": [
		"showcard.cgi?u=a674fc23-26e8-4f6e-ba55-1a6ef4029878"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9fb19abe-4035-4f22-a595-641b7f3443a9",
			"created_at": "2022-10-25T15:50:23.748944Z",
			"updated_at": "2026-04-10T02:00:05.395401Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"CopyKittens"
			],
			"source_name": "MITRE:CopyKittens",
			"tools": [
				"Cobalt Strike",
				"TDTESS",
				"Matryoshka"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f4557ed9-2455-44c5-a768-dfb80ccae259",
			"created_at": "2023-01-06T13:46:38.652329Z",
			"updated_at": "2026-04-10T02:00:03.055638Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"Slayer Kitten",
				"G0052"
			],
			"source_name": "MISPGALAXY:CopyKittens",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "467c5e72-55a6-40a9-9b73-bb764889c0a5",
			"created_at": "2022-10-25T16:07:23.486532Z",
			"updated_at": "2026-04-10T02:00:04.628477Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"CopyKittens",
				"G0052",
				"Operation Wilted Tulip",
				"Slayer Kitten"
			],
			"source_name": "ETDA:CopyKittens",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"EmPyre",
				"EmpireProject",
				"Matryoshka",
				"Matryoshka RAT",
				"PowerShell Empire",
				"TDTESS",
				"Vminst",
				"ZPP",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434676,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f052fd8f9e4cdd9eadc993a4b172f84e085b7fee.pdf",
		"text": "https://archive.orkl.eu/f052fd8f9e4cdd9eadc993a4b172f84e085b7fee.txt",
		"img": "https://archive.orkl.eu/f052fd8f9e4cdd9eadc993a4b172f84e085b7fee.jpg"
	}
}