Threats Feed|Helix Kitten|Last Updated 04/07/2025|AuthorCertfa Radar|Publish Date27/11/2018

HELIX KITTEN: Expanding Cyber Threat to Telecommunications and Middle Eastern Targets

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malicious Macro,RAT,Trojan,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

Detected Targets

TypeDescriptionConfidence
SectorInformation Technology
Verified
SectorTelecommunication
Verified
RegionBahrain
The countries targeted by the attack include Bahrain and Kuwait.
Verified
RegionKuwait
Verified

FAQs

Understanding the HELIX KITTEN Campaign

An Iran-based hacking group known as HELIX KITTEN has been conducting targeted attacks against a range of industries using sophisticated phishing and custom malware implants.

HELIX KITTEN, also called OilRig or APT34, is a threat actor assessed to operate from Iran. They are known for state-aligned cyber-espionage campaigns.

The attackers aimed to steal sensitive information and gain long-term access to victims’ systems, with possible objectives including espionage and data collection.

Organizations in aerospace, energy, finance, government, hospitality, and most recently telecommunications were targeted.

They used convincing phishing emails containing malicious Office documents that installed malware when opened by recipients.

Controlling telecommunications infrastructure can give attackers access to large volumes of communication data and enable rerouting or monitoring of traffic.

Organizations should strengthen email defenses, disable risky macro functionality, monitor for suspicious network activity (especially DNS anomalies), and train employees to spot phishing attempts.

This campaign is highly targeted, focusing on organizations with strategic value, rather than broad indiscriminate attacks.

About Affiliation
Helix Kitten