A long-running espionage operation targeting Iranian dissidents and minority activists abroad was uncovered. Attackers used spyware tools on both computers and phones to collect sensitive information from victims.

Who was behind the attack?

While not formally attributed to a specific group, evidence strongly links the operation to Iranian government-aligned actors based on language, targets, and infrastructure registration details.

What was the goal of the attack?

The goal was surveillance—stealing private communications, passwords, and other personal documents from individuals viewed as threats to the Iranian regime.

Victims included members of opposition movements such as the Mujahedin-e Khalq, Baloch and Azerbaijani minority advocates, and political dissidents residing outside Iran.

How was the attack carried out?

The attackers sent malicious documents or apps disguised as legitimate content. These files deployed spyware that silently collected data and forwarded it to attacker-controlled servers.

Why are these groups being targeted?

They represent political opposition to the Iranian government and are involved in activism or resistance efforts that challenge state authority.

What can individuals or organizations do to protect themselves?

Avoid downloading files or apps from unofficial sources, use antivirus tools, and keep software updated. Activists should use encrypted communications and store passwords in secure environments.

Is this a widespread issue or a targeted one?

It is highly targeted, focused on specific individuals and communities critical of the Iranian regime, but the tools used could potentially impact broader groups if reused.

Threats Feed|Rampant Kitten|Last Updated 21/04/2025|AuthorCertfa Radar|Publish Date18/09/2020

Rampant Kitten: Iranian Cyber Espionage Campaign Exposed

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Spyware,Phishing,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

Reference and Credit: Check Point - September 2020

Rampant Kitten - An Iranian Espionage Campaign

Detected Targets

Type	Description	Confidence
Case	Association of Families of camp Ashraf and Liberty Residents (AFALR) The Association of Families of Camp Ashraf and Liberty Residents (AFALR) is a group comprised of refugees who are family members of the residents of Camp Ashraf and Camp Liberty. Association of Families of camp Ashraf and Liberty Residents (AFALR) has been targeted by Rampant Kitten as the main target.	Verified
Case	Azerbaijan National Resistance Organization Azerbaijan National Resistance Organization (ANRO) (AMDT) was officially founded in 2006. The group defines itself as a part and subset of general National Movement of South Azerbaijan and advocates separatism for the Iranian Azerbaijanis as a result of their Pan-Turkist ideology. Azerbaijan National Resistance Organization has been targeted by Rampant Kitten as the main target.	Verified
Sector	Dissident	Verified
Sector	Political	Verified
Region	Albania	Verified
Region	Azerbaijan	Verified

Extracted IOCs

afalr-onedrive[.]com
afalr-sharepoint[.]com
alarabiye[.]net
cpuconfig[.]com
developerchrome[.]com
endupload[.]com
firefox-addons[.]com
gradleservice[.]info
mailgoogle[.]info
picfile[.]net
telegrambackups[.]com
telegrambots[.]me
telegramco[.]org
telegramdesktop[.]com
telegramreport[.]me
telegramup[.]com
update-help[.]com
vareangold[.]de
winchecking[.]com
exemplifiable-taps.000webhostapp[.]com
tbackup.000webhostapp[.]com
01e4c30e374bd26a2e5e5cb8ef27b255
092b436347f80cffd74f4caffa75f4d5
0aa07a6bf12a2a87a66202e768146e49
16706dff8db6fcc1fbd6f80cfb2baeb1
1ac4f4f7c5217adb16d83f902e51624a
1bd82146445e2dcb3cafacefe2e913ed
1d6a516c77aaf1bbab1ac4051f86475c
20691b32c1839cb1e106f937dd101e4d
281908f5afa399f725a06df767486837
2c8a7d32667b7b7c410f3b3347087996
2d64174dc0bed8222eea4494a49744a5
2e4e20bb01c9ca4ef5df2a75473c1aee
2e8e25f179172778f8efefac33f2dcb7
2f1120f5089af58315891fd316333161
30973d4a637354cad945ab94205b0323
315e6338bf9c9bcbe3d5af0482f51dfd
326843b42fca324e9fd023058a6c6b7a
3bcddbfd757de15ec350f1b4c9e92926
3ef7daf8cbce7a9aa68ee5c0baef8b28
470175c447f025f4057b4dbacb931e42
48873bf5f51ed996b237ce3495bf6219
4ae3654b7ed172b0273e7c7448b0c23c
5666585faaf4fe77c8354ff76881f29b
5844fe7ffb3333c23d201d70c7419a6d
5b813b679779a60947d4ed6e671394b0
5c4b2cf2bed7db57b7335ec426fe776b
5fcefebf48018774f278f5fa83c664b3
62d8c20b64281b0d934358bf8d0fd2cf
64bd09506365a0cf351a56edb2bb2bdc
661dee790ea438b14553e622052909a5
663f9b47a983c2ebe9f70df74956dcc9
67f523757199203a5e4eae3e17ab00a4
68b84d8057f6e6def9e191ed218da0ee
6f5a36fb82de3aecd847978846be312e
72eb19c60056174b7d5722cabed90ef8
74c3049ae9229675ccce544f0491e2f9
77d9ebb41bf12a96284747cbeeeed889
80c9fc38e7f6d96a09feaa99b7777e7d
83cba14904fdbf0e21d251fc5ab00666
854418d163b0e1269970338916ff6374
86320eb8adb48106b899e21be5d5387d
87866ae8936ec3fc04af3e0783ec36bf
87878f5404083c4c0ebf7a78e386a487
91be9e93c7602202963650103ff8ee50
9238f7a1ec7cbeb3dbb9370f02fde040
975b81ecf54f67e8d091be053ae7fa99
99dab6b39475e1088a4dd33d4cad9896
a05b6a10d7643a2ef059d7e296cb87a6
a0c46b3f8370f2a2a6486d0ac686363c
a314ff2714660be06f9eb49e6024c8c5
a330253626349a1f0a6f16255f05b5f7
a68fcf5b97265d97c6bc5613ae82c093
a763350f2a5b2fdde3216cd1ea2bec5d
a7675a6eee18746705c90a9290168b60
a871124091acc7c865f34e9d4cc6b6ad
aac5bc1f94f32a69d7dcea33f305e6fc
ad33e3d934fef9ed58b1f1c8b0fa0091
b44428524ea196992358148ee3eeddb0
b547b27751022900d9126a82d82a411f
b99abe396772819815eac7728580f41e
b9a888a23af000c6d1c846b9d0fd853c
bb186b0f3f2a1e0ef51d86d3494fd3be
c7041a9de03af5c2c85ec70c3e8daefb
c887fc425351a824a143a015d51ad0a7
c9a28ae2b52d13cc98cdaeaff6d72332
ca154dfd01b578b84c0ec59af059fb62
ca1e45cd176751931c87edbf25aa4469
ca554a866389796b65f0b5eb1576e691
cb93aad2354aea2623a70abdd9ecc87b
cc95e164fc390fa3b75a2c49518edbb7
ccb6f24ff38770ab2efeb8f51de2a123
cf4ed89d96dab84a455a4f52400388cd
d26a8b8d1c6f77dd9ecc02e0edeecbaa
db4c95ea37fed6403546eadd9e691a1e
dd07291265098edef72d39b11c8a1e37
e130f1305948f0f7bd25f9d7101bd98a
e20f58c1afb7d9262e5a15620b172bd4
e7c0e92855a1b7d9b81eeb06cce5ce60
ecb8c2cc5efe580d4ea8f212e39eb9b5
f1598a2901388dc5244931226d300633
f499cabf7c2ddacad965ed2a086b481b
f4e7111f9a5cd4451d422bc009844ec5
f55277807457e2a3e9ad4b6de64b549f
f6a1a831d77cc6f2a2c636f7c17fd499
f78855f488ce965a6a4c60820df2e696
f9b9b9e2c87f9f4b5fbb89e5a1ac05eb
fb063ebd13296eef1fd556ebb4d843a3
02fe03f6f2914551e7096b7938ff1b6d7dce17e1
0dc484e36b62cf4f2512e1b634dbfe60260c8447
107b5afd843a53715ca89dc9b180a0f761a87f90
142f7bd57d3623fd44f5d7406bc9dc8b0fba0bd8
16335373c2b9438002fbe3a648a0709d8c111a6b
1af2cb91b45f684d5fd30187643d9d2d51474be7
1c1d7bc97c49b046c5040c9a74aa803111b8b487
1e6a569979dd3cac95d9d1c481ebf9bb1e0b1f12
22a3855c9c9c05e1789d45d40ba325d9406a1f3b
2747b43c07845feb832115f992c3ff08f2ac220b
295f01317d14e1548ecdfad1342cfae844f5dd8d
2c13c0ef28485320634c235a097d62017bed36d6
2c55956f5422a5fd08e11042d49e6fa478b9cc2e
2d69897eccff1efe908c69c2d0af81f9fc7a57aa
311a4fdb018baf924ff1301dd489b822b40f6c51
31922929229c7b49c626ecdaf2e3927683fbe0cc
31c85366409d5b5ae5f87da2b60f8f116b4bec99
3275c02dbcb2b3467b55bb6927e2d80aeab43357
3da61604ca8c6da190906ff122d56e1cb9836f4c
4511d3627b2432e18c02271ac9ef67a373d2dc4a
4807035760bd758cfe05adf81da2618914928a62
4e4570200d81ab296f29dcbc56c8371484114077
4e4a8dce1192769ac447ffc41a39df543420e1dd
5a60267edb2021e30cbf3540226562701232e512
5b15fb002162591bab0067a5c15c7e5c1726dc24
5d09311a4b0c18572dede3bbf5620268baf39318
6537f6ea9f0a3edb5469c7235d70571e5a46c3e1
67a328fc2362253fd7cc9163d7da6d8688d76d1f
694ddbd3d19ac153f29d52f350faccb257fec841
6a37014e9ff0df749f58c74f787608d66b039a43
6e97334921c15cc27ccfb1e147a74d69f873ff64
735f761462443deff23dde5b76746b7ab0ceaf71
749a8aaf2f9f96a914e3dfff76ff9c9fa43c5bf2
767c02bbaf80745dfb0a6438c21927beb2123962
7ba64923c79cb2742393ff1ad9cb9fd3f6660024
7bbfb347a762da6be65484a2d721669269099af1
7fae11c9f144912eef2557b21f44b112857f2bee
817835661f1e3be4ff13ed1762054475cc8e1223
86d5a8450b80627ddc900bc13d970a9917cf1586
87376e4522a673d5326a456dc6cc11e5c8349dbf
8963a67f5001a3ee5459a8ebe1e8fa3059df786b
8a7f8d1dcbb9c5d4766f49e41ad17c00776bdb50
8b00d62a5c03efa76dfca8bd8c95c969167f83ee
8c59a117faed95777e15fefe0a2ed34d492e3205
93b3a4d118131981fff5f65da2f8642947f2e43a
94f9ee0dbd13014b19f42c2fa125f3f9e73b98a3
96af18c2f4afbcde3854a53c1a3bbb964296b241
9ae405cbb9c6e959e4f680e2a73952e89c81ab4a
9d694ca2a311eafc409f128e1044162ddea5687c
a0bffcd0d9ab5651476375b1e0edef18b81c2d90
a1c8b69ca2f6f8763e65bdb148c9f9422130fced
a208ecaa6ef313abedb3d07d168655af0de0287f
a3b8eb53d595e3a272942e98eac24f3c38cfb2e4
a6e1f60d5e3651d1e029293fba7da72749282ca1
a778f565bbf851efe50a46476fe0e9f8b0e1c830
a8548208fd950a8215e8ae0fac0d00db2592ccf0
a9480fa19e90e46f9fd4a3c96e5ad08c11ef3822
a9de74562a373fae1e02b6f290c3c4189f9f52c5
abb636cbab0bc591ba94203f41635fff009304b6
ad0a4e312d21e513a3fec0bc7bf27afdde4bcde6
b110923d4ec5cf737bfff3904b1527b041ecfe58
b136739bf5c161684433a94a80ccaa9db029bac8
b14804d46febfe811cf5634c8059666bf5c6fc55
b1755edc051acc27c04ae9f05a07db47cb816f57
b7397af85faee45c3d9e0f2e7c0e1b248f064317
b8738bbe9c35181ea4261b81b6c9fc58d8bb593d
ba4b04a8b20cff6ba27ccf7e79f4bcc8134e1c2c
bbb38fa43bbb8c984cb70b155c230539f6ff6e51
c66b1ac78b55661cfbf14c330c2b9615d6c15125
c8d2b9ff069c7e3977e988cebba273bd320abfcc
cb765cc4028a1c2e6930aca826567bc8253d8479
cbdf5c9ada304b73cebda7753bd14bcb5cedab2e
cc8f8ae46807c1b6b56a1877628d2140f0158b85
d7d58a818649eae5116ab26351993436fc1255ee
db88c16dc592d5b11445fa0f437016651706bfaf
dbd60bf24dc0099a4b45b2610be91b5cd75be31a
ddb494f286c36c4216b3e325b8e8e4e61f1c7906
e036dbf4b0e6b36526f8b4f180ac624cfdc8f756
e541372d93e4e26fe75fb44eb8aa009e1fc48b38
e642c9898b8d18238ca525e74db22e6dfe431e2f
ee96340d3b0845fcaad0ee328c49095302cee6e9
eea85b2b8fbb5724f58424c1878ac10fd343a155
f3a4feedd4f62702c65b037a91bd8332d9518c08
f42195c131e1bab859aa61f52edf37c587288eaf
f5b3dc229f00e4c726a9e6e990ad4983ede0f073
ff4af69cdc3c24a7f10efa23c9b1431751c1f0f0
013edd19a9e796d54b82dc34a400a0981c5e17fd65a235dd45231e7ef06ee53b
023151cf0fb47d758946fa85a952a2b6758fbbfb762083a01bb70c5a6d96c781
07247bb81cca445e0df110d73ea6bf7eb327cc99b614b99dfbcb5632025c99a0
083fe2c0feca89a6011ea2749123e216e0a53b573ebef2f25d856412cee7f99c
085a42cf3705bade9cd970f003f82158563aba06e9152e00928778bc0bd9585e
08b61faed24b35224a505dd9cbf39cd59776627de7991161d376134a854c3227
09f953c4abfa799e2137887db5e90ddb993f76d20ce22a5ca290e43ae07074b7
0af51a0ffb5798fb90a14070809fa9909195068ad1b91c1cadf5633b521e5132
0da88a1645f39b41e8cdfe14eaee40b8845bf92b446ddc646fddc85389b78495
0e4a8eb2fe861c45071626da24147e922b167efb543e37ace7466c74c1e98be6
0f7082926241659fbebd229cdc41abe358be49110a80729b9ee891f2f7dcdf16
13e924700a346234eaf2376c61ef0a36c86d94847b232a4ad772e35e0b9a6e87
1b8cd7c93dce63878dadae0cf77482ae367477841a4604c6a842158466790737
1ffd162d377b84ddb91766f43c0a7a0ba92f358fa2146a33726ed1e08529a691
21118e91cc1537c849a382d87cb113568c5e6d6ce204e8f4592c26f74f713f79
233ee2ea02322d3da68217ab4b51722a4a3aa833667a45377dfd4742d5979c4c
24e5b2967437dbc1866df3ac1bf776a4960a5a56676b48bb9a143e62849a43d2
2c4156bb1d1e3f0abafd5d03fad277f6aab705cb917bc07e05de3170fd80854f
2d161588e7314ed268144b14bf00ff02b4b875f140d5ff8ba51ed50318e4b603
2e656ea0b05ffa6cd945848176d1c9fb6174a6253b2a42891487d120358f0bec
3010d9eddb0b97b7f61025d05b543f572c7900170240b56bd9568efb79799f11
30c71764ff80f82a190fc7d2212f0b7eebde4de46327f34e3326acbfd87f268d
3310c0b2fd8a8d96288eb241f6948cfa0f15b39d2e6ca6687aab45dc6fccf9fc
35e3f08ae93a7b4cd3e77a6438e318cd3c3b41efa5def52e5ebd182347e94fd9
37f40214d2f150597c52cb868c1e2f723d9c2d3155ab18ab2f1279eaf09bdf71
3cedd91bb4c7a5874a3ad286addb0860c33931ceb09d2c18385b7d6cab6953e0
3ff1864e5fe1ebcce0a60c9594c9ac9f2eedd94367680dc3d77ca39a0b0e3d06
409da7a4f191e37d3d3aa8f36e8c3789fc998b63241a5f05c6816e54ed7dcd3a
41629c54b2f3dd68897c04a8ed10f7c78534ba67a048da75885a857f68b37624
41d3378e99a410756170056e4941e86325826c45389ae18172114be535a73355
4415e6240b037f4ac693c7e4a88f5ab2567b68dddbaa8fbfb0b40d37748fa8ba
4c0c33fff8d4929f7a0d742f1d251b61794b185538b8ceb4939283d1b3d73795
4ea4671ef8678197dbc82a584832d0dd23d67b0427873ac610bb266d0678f305
4ffbf798a68aa5bcc5a52efd64456483172be892125085d2c82e2f351a48342a
509ab695001be527b6c32f2d200067f2d433169e86724336579e08ea44799dd6
512e28afe8d32008cd8a9e95c938d2551689098ea93f75ba2a23c246248d7124
51a9a7e764a509b979dd438719840369718a320acbba32abbf51d4926e7d3486
525e99feb0a32a96aaf6e34be899e6a68c7abb6a8542f30e3822d07fe4e8d278
54a20f35d302499c925e5855f782bacb6bdd0a345f57c9e80772ef29fb81f465
58018aac8beb89271ef88d0fd4ada64079e1af09fad441e7b39a2463f95602f4
5a8f53f7c65af0cb3f269f8653405cd7bd98fae5c256e6264e5ebc5f75ea6c08
5eb4c94c9927e90426b6227754ae97fca06d468d5512d15773c48817ea082dbf
63a655fde88ea26c73cea1e1764305e44203db771f64155b3b3e3d805203f65a
65a3dec040bddf615bd2ce8c9f08ff074442fb521ac97b869e51d35a417719e9
69cbda8c2ea92eace49d678cc660432d0ad0c44bd79c3a02dd841066f80bc51b
71085b661fea6cf040586b462b07ce8e0471fb9208c4f69cfd168e168beab6fe
75972d15f3b2e97d52b9f8a6f42ea85976ed5bb9d609c3bf93ee98d6f4f4a648
79baf679e84b02a660e03602ff7aa4c9c86a92e0885b1a298c672db842be258d
815a89091ed15779071bbd6d7ad207a0041a199a562f105595278258880f1e03
845a0e5720a6288794a6452adb8d3e7c22f5e6e6b9d4f7481fbd30e3efba4f28
881ab44385541ac7cd0f3279ba4fb8519df07d529456c9e34074787ebb33f658
986a9bd00d5b22431ab949916828aa25542afae4875b5cee00f703424b5ffb34
9c75a6957a0294d929787b6e8217e4127b77cc2702c19ddb8e0b6319dc3b5127
a4fcc308e9a364d29057cc76dbe6a8c32ce24a1dbae5c0b6306471f61cbefb29
a60f5b41251d0bf126fc3c2b836de7d59aa608fd6d37726d71960dd408575512
a713a2749e9791243a89471a2603bf1f32ec11c9179771ca46fb5583b8412cb0
af31cc534aa49f02e6c18a8cf3fd4c9cf366d462ee7caaf8c2a461405382073f
b26b024fa7be56d2b2e3815d8e97434f95b30bf25cda4259d3e20c14a92bd8ec
b5e571eb492eaee853abdf8b6202f7e543f09d8343a85f467cd4806f8e19a14f
b65676321e2138affd5c38a1f2b882f19ac1ca9bf414b6f3d44e35c43c36ae78
b743c9b4968b65577d60d0f3a3c4ae6dd6beedf08a02625836d598f8600a1321
b7730f9a05be8a0f25a3979b2f8d2fed791340a32385a9fd37d0e8b81119627d
b778ab921e7268334efdc8aa371909c4bbd0f1621e39ab9d7e37167fe448581e
baad0de1026a3a807c4e4170b9291548afa900614a1dfdc00cf4f63d1946d555
baf779a4a3c9d901eff32a46a004bbb258551cac57d63f0a878d882d2ebbdcf3
bfb2a7f8e7396f8edee131eca9715ab8b2fc957478b7cf0d58840a707b718e09
c004fa7111c5ea0d902a7f9863b525fb26a3be086926f39246f0dbcb7804f2b5
cec533ecd881f014efa7416867d6e3c6b4362741e97c1609860c6223935dec8d
d148562a49a09333b2b02d13e12b183d4c3fcf23fbb024d4e0b440631a3a3663
d3bb736d8a8b500c75ad853392afac37fd8cd519b274db4cba9451d2f1899059
d52a5ece34828b4201df630a7bc07449289f0c15833ee13f93f105c510a8282e
d8395183c234836b9138d0ade196b8ab60aae6add8c84e004df049a27afe5ffa
dc627b6419366cdf50eccfa3d1995c111b71112e5abb725b6096b9e0026af395
de339d3fe5acf83a0df5991bcce02574e1f2c4749b6d0e8f9edc563ef4f91d79
dff78dc100c1efd116de1a1d9e0b9169380801a1e7e864d63dc81a263f8929e8
e444a49b260e815c7d2f3e309f7c7b62226d4f0658fc756ec0aed5effb5226a8
e4e210aedf8120a4c765bd340bd78b4a84f7ee486314132a8364fd417f4fa128
e7782cedc67fe36d2fb9005c5bb165c75db9587f3de57b408acb20f6757c7f56
e7eeb7781f521ddc5481626a2410ed8cc871809c36d8d8f74af9dd3f8c42505d
e8f785efb62fbdf31a12012d38798301329e5262090991152e94342ef6dfa276
e9bf479de992e8a7cfff4d5d528ec85614e9ad0892feb5f588047dd78decf069
ee295bd3669ddaebcd9be020debd1853c6eb7029c8017734e44c8cdce5e15241
f211a92c2e215c2691006407bc919a892dd998120d83d333f2295059cd3c1c60
f9f4aaba897b15f8c77c46f2efb0672b044b7cb79dfd84eac4a41e2f1cee1344
fdfcf1790faf4dc97ea7c5d84c76b7abbdb080ab931777a6259b09ae0166fcae
fe15c79508885b5288c5cf93708d5b40eab05877cb9b1d954ab7e814a20c7978
137[.]74.153.98
144[.]76.177.244
148[.]251.224.29
148[.]251.97.102
176[.]31.4.14

download

Tip: 285 related IOCs (5 IP, 21 domain, 0 URL, 0 email, 259 file hash) to this threat have been found.

FAQs

Understanding the “Rampant Kitten” Espionage Campaign

: A long-running espionage operation targeting Iranian dissidents and minority activists abroad was uncovered. Attackers used spyware tools on both computers and phones to collect sensitive information from victims.
: While not formally attributed to a specific group, evidence strongly links the operation to Iranian government-aligned actors based on language, targets, and infrastructure registration details.
: The goal was surveillance—stealing private communications, passwords, and other personal documents from individuals viewed as threats to the Iranian regime.
: Victims included members of opposition movements such as the Mujahedin-e Khalq, Baloch and Azerbaijani minority advocates, and political dissidents residing outside Iran.
: The attackers sent malicious documents or apps disguised as legitimate content. These files deployed spyware that silently collected data and forwarded it to attacker-controlled servers.
: They represent political opposition to the Iranian government and are involved in activism or resistance efforts that challenge state authority.
: Avoid downloading files or apps from unofficial sources, use antivirus tools, and keep software updated. Activists should use encrypted communications and store passwords in secure environments.
: It is highly targeted, focused on specific individuals and communities critical of the Iranian regime, but the tools used could potentially impact broader groups if reused.

About Affiliation

Rampant Kitten