← threatfilter.dev / all groups / CopyKittens
CopyKittens
Overview
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.
Targets
Civil society · Government · Private sector
Regions
Germany · Israel · Jordan · Saudi Arabia · United States
Capabilities
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 8 techniques across 6 tactics
Resource Development
-
T1588.002Tool
Execution
-
T1059.001PowerShell
Stealth
-
T1218.011Rundll32 -
T1564.003Hidden Window
Defense Impairment
-
T1553.002Code Signing
Collection
-
T1560.001Archive via Utility -
T1560.003Archive via Custom Method
Command and Control
-
T1090Proxy
Tools & malware (4)
Cobalt Strike · Empire · TDTESS · Matryoshka
Reporting (3)
- Operation Wilted Tulip: Exposing a cyber espionage apparatus — ClearSky Cyber Security and Trend Micro
- Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten — ClearSky Cyber Security
- CopyKittens Attack Group — Minerva Labs LTD and ClearSky Cyber Security