CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.   
|Enterprise||T1116||Code Signing||CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.|
|Enterprise||T1002||Data Compressed||CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.|
|Enterprise||T1022||Data Encrypted||CopyKittens encrypts data with a substitute cipher prior to exfiltration.|
|Enterprise||T1086||PowerShell||CopyKittens has used PowerShell Empire.|
|Enterprise||T1085||Rundll32||CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.|
- ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.