Threats Feed|Rocket Kitten|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date19/03/2015

Rocket Kitten’s Operation Woolen-GoldFish Targets Israeli and European Organizations

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malicious Macro,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

This Trend Micro report details the activities of Rocket Kitten, a cyber threat group targeting Israeli and European organisations. The report focuses on two campaigns: a malware campaign using the GHOLE malware, possibly dating back to 2011, and a suspected state-sponsored operation, 'Operation Woolen-GoldFish', involving spear-phishing attacks. Analysis shows possible links to an individual using the alias "Wool3n.H4t", possibly Iranian, and highlights the group's increasing sophistication despite using relatively simple techniques such as macros. The overall aim is to inform readers of Rocket Kitten's methods and suspected politically motivated objectives, suggesting Iranian involvement.

Reference and Credit: Trend Micro - March 2015

Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorUniversity
Verified
RegionGermany
Verified
RegionIsrael
Verified
RegionEuropean Countries
Verified

Extracted IOCs

  • 02b04563ef430797051aa13e48971d3490c80636
  • 0482fc2e332918456b9c97d8a9590781095b2b53
  • 07a77f8b9f0fcc93504dfba2d7d9d26246e5878f
  • 0b0cdf47363fd27bccbfba6d47b842e44a365723
  • 0f4bf1d89d080ed318597754e6d3930f8eec49b0
  • 1a999a131144afe8cb7316ebb842da4f38101ac5
  • 22f6a61aa2d490b6a3bc36e93240d05b1e9b956a
  • 25d3688763e33eac1428622411d6dda1ec13dd43
  • 2627cdc3324375e6f41f93597a352573e45c0f1e
  • 2c3edde41e9386bafef248b71974659543a3d774
  • 37ad0e426f4c423385f1609561422a947a956398
  • 4711f063a0c67fb11c05efdb40424377799efafd
  • 476489f75fed479f19bac02c79ce1befc62a6633
  • 47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f
  • 53340f9a49bc21a9e7267173566f4640376147d9
  • 58045d7a565f174df8efc0de98d6882675fbb07f
  • 5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3
  • 62172eee1a4591bde2658175dd5b8652d5aead2a
  • 6571f2b9a0aea89f45899b256458da78ac51e6bb
  • 6e30d3ef2cd0856ff28adce4cc012853840f6440
  • 729f9ce76f20822f48dac827c37024fe4ab8ff70
  • 788d881f3bb2c82e685a98d8f405f375c0ac2162
  • 7ad0eb113bc575363a058f4bf21dbab8c8f7073a
  • 7fef48e1303e40110798dfec929ad88f1ad4fbd8
  • 8074ed48b99968f5d36a494cdeb9f80685beb0f5
  • 86222ef166474e53f1eb6d7e6701713834e6fee7
  • 9579e65e3ae6f03ff7d362be05f9beca07a8b1b3
  • a42f1ad2360833baedd2d5f59354c4fc3820c475
  • a9245de692c16f90747388c09e9d02c3ee34577e
  • ad6c9b003285e01fc6a02148917e95c780c7d751
  • ae18bb317909e16f765ba2e88c3d72d648db2798
  • c1edf6e3a271cf06030cc46cbd90074488c05564
  • c6db3e7e723f20ed3bcf4c53fc4748e9591f4c40
  • c727b8c43943986a888a0428ae7161ff001bf603
  • cabdfe7e9920aeaa5eaca7f5415d97f564cdec11
  • ce03790d1df81165d092e89a077c495b75a14013
  • d5b2b30fe2d4759c199e3659d561a50f88a7fb2e
  • e2728cabb35c210599e248d0da9791991e38eb41
  • e6964d467bd99e20bfef556d4ad663934407fd7b
  • e8dbcde49c7f760165ebb0cb3452e4f1c24981f5
  • ec692cf82aef16cf61574b5d15e5c5f8135df288
  • ed5615ffb5578f1adee66f571ec65a992c033a50
  • efd1c6a926095d36108177045db9ad21df926a6e
  • f51de6c25ff8e1d9783ed5ac13a53d1c0ea3ef33
  • fa5b587ceb5d17f26fe580aca6c02ff2e20ad3c4
  • fd8793ce4ca23988562794b098b9ed20754f8a90
  • fe3436294f302a93fbac389291dd20b41b038cba
  • ffead364ae7a692afec91740d24649396e0fa981
  • 83[.]170.33.37
  • 83[.]170.33.60
  • 83[.]170.33.80
  • 83[.]170.43.67
  • 84[.]11.146.55
  • 84[.]11.26.230
  • 84[.]11.75.220
download

Tip: 55 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 48 file hash) to this threat have been found.

Overlaps

Rocket KittenThamar Reservoir: Iranian Cyber Campaign Targets Middle East Sectors

Source: ClearSky - June 2015

Detection (two cases): 476489f75fed479f19bac02c79ce1befc62a6633, d5b2b30fe2d4759c199e3659d561a50f88a7fb2e

UnknownGholee Malware Exploits Israel-Gaza Conflict Theme in Targeted Cyberattack

Source: ClearSky - September 2014

Detection (two cases): 83[.]170.33.37, 83[.]170.33.60

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Rocket Kitten
View Rocket Kitten's Insights