Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spyware
- Attack Complexity: Low
- Threat Risk: Low Impact/Low Probability
Threat Overview
The Domestic Kitten campaign, an Iranian surveillance operation active since 2016, targets Iranian citizens, including Kurdish and Turkish natives and ISIS supporters, using malicious mobile apps. These apps, disguised as legitimate, collect sensitive information such as contact lists, call records, SMS messages, browser history, geo-location, photos, and surrounding voice recordings. The stolen data is encrypted and exfiltrated to C&C servers, with IP addresses linked to Iranian origins. The operation's infrastructure suggests involvement by Iranian government entities like the IRGC and Ministry of Intelligence.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Firat News Agency (ANF) The Firat News Agency is a Kurdish news agency that gathers and broadcasts news from the Middle East, broadly concerning Kurdish matters. The news agency has offices in Amsterdam and journalists around the world. It has been variously described as pro-Kurdish, pro-PKK, or PKK-affiliated. Firat News Agency (ANF) has been targeted by Domestic Kitten with abusive purposes. | Verified |
| Sector | Dissident | High |
| Region | Iran | Verified |
Extracted IOCs
- firmwaresystemupdate[.]com
- georgethompson[.]space
- ronaldlubbers[.]site
- stevenwentz[.]com
- 0fafeb1cbcd6b19c46a72a26a4b8e3ed588e385f
- c168f3ea7d0e2cee91612bf86c5d95167d26e69c
- d1f70c47c016f8a544ef240487187c2e8ea78339
- f1355dfe633f9e1350887c31c67490d928f4feec
- 162[.]248.247.172
- 190[.]2.144.140
- 190[.]2.145.145
- 89[.]38.98.49
Tip: 12 related IOCs (4 IP, 4 domain, 0 URL, 0 email, 4 file hash) to this threat have been found.
FAQs
Understanding the Domestic Kitten Surveillance Operation
Researchers uncovered a long-running surveillance campaign using fake mobile apps to spy on users and collect sensitive personal data.
The operation is believed to be linked to Iranian government entities, including security and intelligence agencies.
The goal was to monitor and collect intelligence on individuals considered threats to the regime, including ethnic minorities, internal dissidents, and ISIS supporters.
Although the apps appear to target Kurdish and ISIS-affiliated users, the vast majority of victims were Iranian citizens. Some users from Afghanistan, Iraq, and the UK were also affected.
Victims were tricked into installing fake apps that appeared legitimate but secretly recorded calls, messages, locations, and even surrounding audio.
The Iranian regime is known to monitor groups it considers politically sensitive or destabilizing. This campaign aligns with known internal surveillance strategies.
Avoid installing unofficial or politically themed apps from unknown sources, keep devices updated, and use mobile antivirus or security tools.
The campaign is highly targeted, but due to the nature of mobile spyware, it also compromised the data of many secondary contacts—making its impact much broader.