Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.
Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.
Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.
|Operation Saffron Rose|
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.
|Enterprise||T1105||Ingress Tool Transfer||
Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.
|Enterprise||T1056||.001||Input Capture: Keylogging||
Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Ajax Security Team has used personalized spearphishing attachments.
|.003||Phishing: Spearphishing via Service||
Ajax Security Team has used various social media channels to spearphish victims.
|Enterprise||T1204||.002||User Execution: Malicious File||
Ajax Security Team has lured victims into executing malicious files.
|S0224||Havij||||Exploit Public-Facing Application|
|S0225||sqlmap||||Exploit Public-Facing Application|