Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Iran-Linked Espionage Group Continues Attacks on Middle East

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

The political espionage operations of this state-sponsored advanced persistent threat (APT) actor have been analyzed by several security firms, including Trend Micro, ClearSky, iSIGHT Partners (Newscaster attacks) and FireEye (Operation Saffron Rose by Ajax Security Team).

In a report released in March, Trend Micro detailed a Rocket Kitten operation dubbed “Woolen GoldFish,” which targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in other European countries. Other security companies detailed attacks targeting high-profile individuals and organizations in the Middle East and the United States.

In a joint paper released on Tuesday, ClearSky and Trend Micro revealed that the group’s activities have intensified over the past months. ClearSky has identified a total of 550 targets, most of which are located in the Middle East. However, researchers noted that the group appears to be currently focusing on individuals rather than organizations.

Two attacks described in detail in the report have targeted a ClearSky researcher and an Iranian lecturer.

The APT group’s attacks against Dr. Thamar E. Gindin, an expert lecturer in linguistics and pre-Islamic Iranian culture, started in mid-2015 after she made some political statements. The attackers sent Dr. Gindin several spear-phishing emails containing malware and links to phishing pages. They also targeted her Google, Facebook and cloud accounts using brute-force attacks and other hacking methods. On a couple of occasions, the malicious actors even called the expert on the phone in an attempt to obtain details they could leverage for social engineering, researchers said.

In June 2015, Dr. Gindin started assisting researchers at ClearSky with a report on “Thamar Reservoir,” a Rocket Kitten campaign targeting Middle Eastern entities. The attacks aimed at the expert continued even after the report was published.

After Dr. Gindin started collaborating with ClearSky, the APT group started targeting one of the company’s researchers. They first attempted to approach the researcher using a fake Facebook profile. When that failed, they used a fake ClearSky email address in an attempt to trick him into clicking on a link leading to a piece of malware.

Researchers believe the group is unlikely to end its activities any time soon.

“The more information we gather about [Rocket Kitten’s] tactics and methods, the more we are convinced that what we are facing is a group of resourceful and persistent actors. Rocket Kitten doesn’t need sophisticated skills,” reads the report from Trend Micro and ClearSky. “The infection vectors that the group uses are very simple. The malware they use are mostly purchased from third parties. But these shouldn’t fool anyone into thinking they’re less difficult to deal with. Rocket Kitten makes up for their shortcomings by being extremely persistent and agile.”

The complete report, titled “The Spy Kittens are Back: Rocket Kitten 2,” is available online in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.