Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

ID: G0130
Associated Groups: Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose
Version: 1.0
Created: 14 April 2021
Last Modified: 17 December 2021

Associated Group Descriptions

Name Description
Operation Woolen-Goldfish

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.[2][3]

AjaxTM

[1]

Rocket Kitten

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.[2][4]

Flying Kitten

[5]

Operation Saffron Rose

[1]

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[2]

Enterprise T1105 Ingress Tool Transfer

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[2]

Enterprise T1056 .001 Input Capture: Keylogging

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ajax Security Team has used personalized spearphishing attachments.[2]

.003 Phishing: Spearphishing via Service

Ajax Security Team has used various social media channels to spearphish victims.[1]

Enterprise T1204 .002 User Execution: Malicious File

Ajax Security Team has lured victims into executing malicious files.[1]

Software

ID Name References Techniques
S0224 Havij [2] Exploit Public-Facing Application
S0225 sqlmap [2] Exploit Public-Facing Application

References