Espionage Operations by Flying Kitten Impact US, Israel, and Academia
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Defacement,Security Misconfiguration,Keylogger,Spyware,Phishing,Pretexting,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
The Flying Kitten group conducted extensive espionage and surveillance campaigns from 2013 to 2014. Utilizing spearphishing, social engineering, and the "Stealer" malware, they targeted high-profile individuals, security researchers, and various sectors. The campaigns involved compromised social media accounts and phishing domains to gather credentials and sensitive information. The malware recorded keystrokes, took screenshots, and collected system data, focusing on credential harvesting rather than file exfiltration. This activity impacted targets in the United States, Israel, and global academia and business sectors.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Babak Zanjani Babak Zanjani is an Iranian billionaire and business magnate. He was the managing director of the UAE-based Sorinet Group, one of Iran's largest business conglomerates. Babak Zanjani has been targeted by Flying Kitten as the main target. | Verified |
| Case | Columbia University Columbia University, officially Columbia University in the City of New York, is a private, Ivy League, research university in New York City. Columbia University has been targeted by Flying Kitten as the main target. | Verified |
| Case | Mohammad Javad Zarif Mohammad Javad Zarif Khansari is an Iranian career diplomat and academic. He was the foreign minister of Iran from 2013 until 2021 in the government of Hassan Rouhani. Mohammad Javad Zarif has been targeted by Flying Kitten as the main target. | Verified |
| Sector | University | Verified |
| Region | Iran | Verified |
| Region | Israel | Verified |
| Region | United States | Verified |
Extracted IOCs
- account-information[.]net
- account-verify[.]net
- armes-teflon[.]com
- config-yahoo[.]com
- daneshjoo-azad[.]com
- digitalbutton[.]net
- getflash[.]org
- group-google[.]com
- group-yahoo[.]org
- iraniannuk[.]com
- kheshtaksecurity[.]com
- loplophacker[.]in
- mailer-yahoo[.]com
- manage-google[.]com
- sarvdownload[.]com
- security-yahoo.com[.]co
- shahinenaghavi[.]com
- shahinenajafi[.]com
- sign-google[.]com
- speed-community[.]com
- tools-google[.]com
- ultragig[.]ir
- ultrasms[.]ir
- users-facebook[.]com
- xn--facebook-06k[.]com
- xn--facebook-e8k[.]com
- xn--google-yri[.]com
- xn--google-ysi[.]com
- xn--yahoo-8kh[.]com
- ymail.com[.]co
- policy.qooqle.com[.]co
- content.mimetype@gmail[.]com
- defender@chmail[.]ir
- ir.it@mail[.]com
- johnjackson252111@gmail[.]com
- lvlr98@gmail[.]com
- omidexe@yahoo[.]com
- osshom@yahoo[.]com
- robertthompson784@yahoo[.]com
- solmaz007@yahoo[.]com
- 141[.]255.160.245
- 141[.]255.160.246
- 141[.]255.160.247
- 5[.]144.135.38
- 5[.]144.135.50
- 5[.]144.135.51
- 5[.]9.244.157
- 81[.]91.146.233
- 81[.]91.146.236
- 81[.]91.146.237
- 88[.]150.227.197
Tip: 51 related IOCs (11 IP, 31 domain, 0 URL, 9 email, 0 file hash) to this threat have been found.
FAQs
Understanding the Flying Kitten Threat
A group known as Flying Kitten carried out espionage campaigns using fake online identities, phishing emails, and malware to spy on a wide range of individuals and organizations.
The attacks were conducted by individuals linked to a former Iranian hacking group called Ajax Security Team, some of whom had ties to legitimate businesses in Iran. Their work appears aligned with Iranian state interests.
The group aimed to gather intelligence, monitor communications, and compromise opponents of the Iranian government, as well as foreign defense-related targets.
Targets included Iranian activists, foreign defense firms, political dissidents, cultural figures, and even people within Iran’s own political system.
The attackers used fake personas and convincing emails to trick victims into clicking links or opening files that installed spying software on their devices.
Many were seen as critics or threats to the Iranian regime, while others were involved in regional conflicts or had valuable commercial or defense-related information.
Use strong passwords and two-factor authentication, be cautious of unexpected emails or messages, and keep systems and software up to date. Training on recognizing social engineering is essential.
While the campaign was targeted, its scope was broad—reaching both high-profile individuals and ordinary users—suggesting a systematic and state-aligned strategy rather than random attacks.