Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Iran-Linked Espionage Group Continues Attacks on Middle East

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

The political espionage operations of this state-sponsored advanced persistent threat (APT) actor have been analyzed by several security firms, including Trend Micro, ClearSky, iSIGHT Partners (Newscaster attacks) and FireEye (Operation Saffron Rose by Ajax Security Team).

In a report released in March, Trend Micro detailed a Rocket Kitten operation dubbed “Woolen GoldFish,” which targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in other European countries. Other security companies detailed attacks targeting high-profile individuals and organizations in the Middle East and the United States.

In a joint paper released on Tuesday, ClearSky and Trend Micro revealed that the group’s activities have intensified over the past months. ClearSky has identified a total of 550 targets, most of which are located in the Middle East. However, researchers noted that the group appears to be currently focusing on individuals rather than organizations.

Two attacks described in detail in the report have targeted a ClearSky researcher and an Iranian lecturer.

The APT group’s attacks against Dr. Thamar E. Gindin, an expert lecturer in linguistics and pre-Islamic Iranian culture, started in mid-2015 after she made some political statements. The attackers sent Dr. Gindin several spear-phishing emails containing malware and links to phishing pages. They also targeted her Google, Facebook and cloud accounts using brute-force attacks and other hacking methods. On a couple of occasions, the malicious actors even called the expert on the phone in an attempt to obtain details they could leverage for social engineering, researchers said.

In June 2015, Dr. Gindin started assisting researchers at ClearSky with a report on “Thamar Reservoir,” a Rocket Kitten campaign targeting Middle Eastern entities. The attacks aimed at the expert continued even after the report was published.

After Dr. Gindin started collaborating with ClearSky, the APT group started targeting one of the company’s researchers. They first attempted to approach the researcher using a fake Facebook profile. When that failed, they used a fake ClearSky email address in an attempt to trick him into clicking on a link leading to a piece of malware.

Researchers believe the group is unlikely to end its activities any time soon.

“The more information we gather about [Rocket Kitten’s] tactics and methods, the more we are convinced that what we are facing is a group of resourceful and persistent actors. Rocket Kitten doesn’t need sophisticated skills,” reads the report from Trend Micro and ClearSky. “The infection vectors that the group uses are very simple. The malware they use are mostly purchased from third parties. But these shouldn’t fool anyone into thinking they’re less difficult to deal with. Rocket Kitten makes up for their shortcomings by being extremely persistent and agile.”

The complete report, titled “The Spy Kittens are Back: Rocket Kitten 2,” is available online in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...