Flying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Keylogger,Malware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
The Iranian cyber groups Flying Kitten and Rocket Kitten exhibited overlapping tactics in credential theft and spearphishing, targeting entities in sectors like media, education, and technology across the UK, US, and Iran. Utilizing domains that mimicked legitimate services, such as Google and Microsoft, they orchestrated phishing campaigns to harvest user credentials. Their operations involved shared phishing toolkits and malware, including a keylogger, with connections back to Iranian infrastructure. Despite cessation of Flying Kitten activities post-2014, their tools and tactics were resurrected by Rocket Kitten, highlighting the persistent threat posed by these actors.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Asharq Al-Awsat Asharq Al-Awsat is an Arabic international newspaper headquartered in London. A pioneer of the "off-shore" model in the Arabic press, the paper is often noted for its distinctive green-tinted pages. Asharq Al-Awsat has been targeted by Flying Kitten as the main target. | Verified |
| Case | GEM TV GEM TV is an Iranian group of entertainment satellite channels. Its headquarters is located in Istanbul, Turkey. This group also launched various channels in Arabic, Kurdish and Persian to expand its viewers. GEM TV has been targeted by Flying Kitten as the main target. | Verified |
| Sector | Human Rights | Verified |
| Sector | Journalists | Verified |
| Sector | Medical | Verified |
| Sector | Media | Verified |
| Sector | University | Verified |
| Region | Iran | Verified |
| Region | Turkey | Medium |
| Region | United Kingdom | Verified |
| Region | United States | Verified |
Extracted IOCs
- account-signin-myaccount-users[.]ga
- change-mail-accounting-register-single[.]com
- change-user-account-mail-permission[.]com
- display-error-runtime[.]com
- display-ganavaro-abrashimchi[.]com
- drive-google.com[.]co
- drive-sigin-permissionsneed[.]ml
- drive-useraccount-signin-mail[.]ga
- dropebox[.]co
- ghalpaq[.]com
- google-setting[.]com
- google-verify[.]com
- hangouting-signin-to-chat[.]ga
- iforget-memail-user-account[.]com
- iraniannuk[.]com
- iranianuknews[.]com
- mg5-myfile-available-signin[.]ga
- profiles-verify[.]com
- qooqle.com[.]co
- security-supportteams-mail-change[.]ga
- singin-your-drive[.]ga
- telegrem[.]org
- userfile-need-permission-download-signin[.]com
- verify-account-for-secure[.]ga
- verify-ycervice[.]com
- verify-your-password-for-secure-your-account[.]cf
- verify-yservice[.]com
- ymail-service[.]com
- your-file-drive-permission-for-download[.]cf
- aol.userfile-need-permission-download-signin[.]com
- changepassword.userfile-need-permission-download-signin[.]com
- cox.userfile-need-permission-download-signin[.]com
- drive.signin-account-privacymail[.]com
- durham-ac-uk.userfile-need-permission-download-signin[.]com
- network.us14-userfile-permission-account-signin[.]com
- onedrive.signin-useraccount-mail[.]com
- verify-google-password.userfile-need-permission-download-signin[.]com
- www.drive-useraccount-signin-mail[.]ga
- www.google-setting[.]com
- www.google-verify[.]com
- yahoodrive.signin-account-privacymail[.]com
- yahoo-drive.signin-useraccount-mail[.]com
- yahoo-reset.signin-useraccount-mail[.]com
- 8ad0485fd3509042b0a477f65507f711
- 178[.]162.203.56
- 5[.]9.244.137
- 81[.]91.146.232
Tip: 47 related IOCs (3 IP, 43 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.