An Iranian government-linked group, APT-C-50, has been running a large-scale surveillance campaign called Domestic Kitten, targeting individuals seen as threats to the regime using spyware disguised as legitimate Android apps.

Who is behind the attack?

The operation is attributed to APT-C-50, a threat actor linked to the Iranian government, known for targeting dissidents, minorities, and opposition groups.

What was the goal of the attack?

The primary goal was to gather sensitive personal data, including communications, location, and media files, from individuals considered politically or ideologically dangerous to the Iranian regime.

How widespread was the targeting?

More than 1,200 individuals were targeted, with over 600 infections confirmed. Victims were located not only in Iran but also across countries like the United States, the UK, Pakistan, Afghanistan, Turkey, and more.

Who were the targets?

Targets included Iranian opposition forces, internal dissidents, Kurdish minorities, ISIS supporters, and others viewed as destabilizing elements by the Iranian government.

How was the attack carried out?

The attackers tricked victims into installing fake Android apps shared via SMS, blogs, and Telegram channels. These apps secretly installed spyware that monitored and stole data from the infected devices.

Why are these groups attractive targets for the attackers?

The Iranian government views these individuals and groups as political threats. Surveillance helps the regime monitor, control, and potentially neutralize opposition activities.

What should individuals or organizations do to protect themselves?

Avoid downloading apps from unverified sources, remain cautious of links sent via SMS or messaging apps, and use mobile security solutions that can detect spyware.

Is this a widespread issue or a targeted one?

This campaign is targeted, focusing on specific groups and individuals perceived as threats by the Iranian regime rather than the general public.

Threats Feed|Domestic Kitten|Last Updated 22/04/2025|AuthorCertfa Radar|Publish Date08/02/2021

Domestic Kitten: Inside Iran's Surveillance Campaign Against Citizens

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Spyware,Phishing,Smishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

APT-C-50's Domestic Kitten surveillance operation, linked to the Iranian government, targets over 1,200 Iranian citizens including dissidents, opposition forces, and minorities. Since 2017, ten campaigns delivered the FurBall malware via Iranian blogs, Telegram channels, and SMS links. FurBall collects device data, call logs, SMS messages, and media files, tracking victims' activities. It leverages commercially available parental control software, KidLogger, for its operations. This extensive surveillance continues with four active campaigns as of November 2020.

Reference and Credit: Check Point - February 2021

Domestic Kitten – An Inside Look at the Iranian Surveillance Operations

Detected Targets

Type	Description	Confidence
Sector	Dissident	Verified
Region	Afghanistan	Verified
Region	Iran	Verified
Region	Pakistan	Verified
Region	Turkey	Verified
Region	United Kingdom	Verified
Region	United States	Verified

Extracted IOCs

appsoftupdate[.]com
firmwaresystemupdate[.]com
02d6ca25b2057f181af96d2837486b26231eaa496defdf39785b5222014ef209
039fc34ace1012eff687f864369540b9085b167f0d66023f3b94f280a7fdf8b7
1dc12c6a44852023f1687f9f31a9e58dc7ce96d492a58a3e87dec5aa8f45ba92
290d70472f4b00a1cf01f5c1311aacffaa39057bb1c826c99419999ccef7ae53
3d41830f943c31f69eb6ed7804cc18b289ba2172d258bd118a8503d120318d63
4580980a6fb65ea1501464d36306c24d341189e84500562c5a3ac844f9a79525
48d642c2c77eeabff36249c59ce397a9ee5f3d825d735f839c5c05939499406e
53e00f1e8d2d6aa2d8a0eda2bf2d924fbc6f67db12ac3238d7c4b4520de7fadc
53ed971b48ae0b2ff6bcdd7bf4e8970d6eac3e7cdcd3ae6fa05860b9e5ac58ee
54479fbb2f3c8c16714e526925537e738b1b586310c8d15ce10f33327392e879
5787723b2221464337e6bbe4200aab912f1f711447224e4e6c4c96c451ff41bf
62a48bcb2d2f22017ce67b853654903464c19892a07a3c0ca020048cb049f0cd
68a1452172636b081873b9f7c1ae3794035c4ff50d5538b656caf07016b74d07
7f603216a0a7bae2c8cec65a800608ac22cfff8cd98c699677e44d36267a9798
8324266e25d6a8dbc6e561e035b9e713c3bd339ba9bb5e5b9d4f0821a0262510
88d03e683c01d9979c752844579bd367892edbbdc876b03df8e1d09412f761c5
9156f5bd322306c9038a3bc830e53e7b13c272e121fb70b3b8d7d9968fb97e4f
a3797856766fef6651f8c679febd12378fc3196c5cc74923d90377045107700d
a5b5f6027b463d82fded3c38153086d5accc466df33123070ea541e62124b943
b1df569ad4686e16ec0c661733d56778f59cdb78207a3c2ad66df9b9828c84ab
bd7779e6100e07b3eae67bfcdc53f1f08468651240229e284cca60e2b953496b
ca730b8b355e44919629a958d940e77eb1b4cd0c1bbe2ab94a963222f2723f57
ccef7ca705b899fe337eda462d38216c414c0cfe41052dec102c8f6d8876ad8a
d90168d1f3568b5909d2e14288300ede298f6c663b51e883e7eb5d8d70277423
e069bcd473c83b937db46243dd53e8856b5be6d0ade880c0ec61107054a7e32e
e7a6925f0fe03108b965a3cf9f2fe1204add376ecde68bafd872e9d828d762e9
f1728125f37ca8738b19b418a3fe896e9bdcde5aed6559db3eea55f4e17602c4
188[.]158.60.100
94[.]182.215.98

download

Tip: 31 related IOCs (2 IP, 2 domain, 0 URL, 0 email, 27 file hash) to this threat have been found.

FAQs

Understanding the Domestic Kitten Surveillance Operation

: An Iranian government-linked group, APT-C-50, has been running a large-scale surveillance campaign called Domestic Kitten, targeting individuals seen as threats to the regime using spyware disguised as legitimate Android apps.
: The operation is attributed to APT-C-50, a threat actor linked to the Iranian government, known for targeting dissidents, minorities, and opposition groups.
: The primary goal was to gather sensitive personal data, including communications, location, and media files, from individuals considered politically or ideologically dangerous to the Iranian regime.
: More than 1,200 individuals were targeted, with over 600 infections confirmed. Victims were located not only in Iran but also across countries like the United States, the UK, Pakistan, Afghanistan, Turkey, and more.
: Targets included Iranian opposition forces, internal dissidents, Kurdish minorities, ISIS supporters, and others viewed as destabilizing elements by the Iranian government.
: The attackers tricked victims into installing fake Android apps shared via SMS, blogs, and Telegram channels. These apps secretly installed spyware that monitored and stole data from the infected devices.
: The Iranian government views these individuals and groups as political threats. Surveillance helps the regime monitor, control, and potentially neutralize opposition activities.
: Avoid downloading apps from unverified sources, remain cautious of links sent via SMS or messaging apps, and use mobile security solutions that can detect spyware.
: This campaign is targeted, focusing on specific groups and individuals perceived as threats by the Iranian regime rather than the general public.

About Affiliation

Domestic Kitten

Associate threats

Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps