Group: CopyKittens

From enterprise
Jump to: navigation, search
ID G0052
Aliases CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.123

Alias Descriptions

  • CopyKittens - 123

Techniques Used

  • Code Signing - CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.2
  • Rundll32 - CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.2
  • Data Compressed - CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.2
  • Data Encrypted - CopyKittens encrypts data with a substitute cipher prior to exfiltration.3