CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. [1] [2] [3]

ID: G0052
Aliases: CopyKittens
Version: 1.0

Alias Descriptions

CopyKittens[1] [2] [3]

Techniques Used

EnterpriseT1116Code SigningCopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[2]
EnterpriseT1002Data CompressedCopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[2]
EnterpriseT1022Data EncryptedCopyKittens encrypts data with a substitute cipher prior to exfiltration.[3]
EnterpriseT1086PowerShellCopyKittens has used PowerShell Empire.[2]
EnterpriseT1085Rundll32CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[2]


S0154Cobalt StrikeAccess Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0164TDTESSCommand-Line Interface, File Deletion, New Service, Remote File Copy, Timestomp