CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. [1] [2] [3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[2] |
.003 | Archive Collected Data: Archive via Custom Method |
CopyKittens encrypts data with a substitute cipher prior to exfiltration.[3] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CopyKittens has used PowerShell Empire.[2] |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
CopyKittens has used |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
CopyKittens has used Metasploit and Empire for post-exploitation activities.[4] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[2] |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[2] |