1. Home
  2. Groups
  3. Ajax Security Team

Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

ID: G0130
Associated Groups: Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose
Version: 1.0
Created: 14 April 2021
Last Modified: 09 October 2023
Version Permalink

Associated Group Descriptions

Name Description
Operation Woolen-Goldfish

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.[2][3]
AjaxTM

[1]
Rocket Kitten

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.[2][4]
Flying Kitten

[5]
Operation Saffron Rose

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[2]
Enterprise T1105 Ingress Tool Transfer

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[2]
Enterprise T1056 .001 Input Capture: Keylogging

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ajax Security Team has used personalized spearphishing attachments.[2]
.003 Phishing: Spearphishing via Service

Ajax Security Team has used various social media channels to spearphish victims.[1]
Enterprise T1204 .002 User Execution: Malicious File

Ajax Security Team has lured victims into executing malicious files.[1]

Software

ID Name References Techniques
S0224 Havij [2] Exploit Public-Facing Application
S0225 sqlmap [2] Exploit Public-Facing Application

References

  1. Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
  2. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  3. Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.
  1. Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.
  2. Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.