Security Experts:

Connect with us

Hi, what are you looking for?



Threat Actor Linked to Iran Targets Organizations in Israel, Europe

A threat actor dubbed “Rocket Kitten” has breached the systems of several organizations in Israel and Europe. Evidence uncovered by researchers suggests that the group might have ties to Iran.

A threat actor dubbed “Rocket Kitten” has breached the systems of several organizations in Israel and Europe. Evidence uncovered by researchers suggests that the group might have ties to Iran.

Rocket Kitten’s activities were brought to light last year at the 31st Chaos Communication Congress (31C3) where researchers Tillman Werner and Gadi Evron detailed the advanced persistent threat (APT) actor’s activities.

According to Trend Micro, Rocket Kitten has conducted two campaigns. One of them, the one described by Werner and Evron, involved spear-phishing emails designed to distribute a piece of malware called GHOLE. The threat, which is a modified version of a legitimate penetration testing tool from Core Security, gives attackers remote access to the infected machine and the target’s corporate network.

A second campaign, which Trend Micro has been following closely, is far more sophisticated. The operation, dubbed “Woolen-GoldFish,” is most likely a state-sponsored campaign, the security firm said.

The threat groups seems to be particularly interested in the defense industry, government entities, the IT sector, and academic organizations. Based on the contents of the files attached to the spear-phishing emails, researchers believe the attackers have targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in Europe.

In the first campaign, Rocket Kitten distributed the GHOLE malware with the aid of macros placed inside Microsoft Office documents. However, this technique might not have been very effective because the victim needed to enable macros in order for the malware to get dropped.

At the end of 2014, the group started changing tactics and launched what researchers have called Operation Woolen-GoldFish.

A spear-phishing emails sent to an Israeli organization in February contained a PDF document which included a link to a file hosted on Microsoft’s OneDrive cloud service. The file, whose name referenced Iran’s missile program, was an executable that used a PowerPoint icon to avoid raising suspicion.

When executed, a legitimate PowerPoint presentation was opened. At the same time, a keylogger called CWoolger (TSPY_WOOLERG.A) was silently dropped. Once it infects a machine, CWoolger starts logging keystrokes in a .DAT file. Experts have pointed out that the malware is not as sophisticated as other modern keyloggers.

Trend Micro has found several clues that suggest a link between Rocket Kitten and Iran. Metadata from the malicious files shows that several individuals have contributed to the development of the malware, but the main author seems to be using the online moniker “Wool3n.h4t.”

According to researches, Wool3n.h4t is the name used to register a blog hosted by a free service in Iran. The blog, which is currently inactive, hosted posts published by a user named “Masoud_pk,” which could be part of Wool3n.h4t’s real identity. If Wool3n.h4t is named Masoud, he could be Iranian since this is one of the top 50 most common names in the country.

Experts also uncovered a connection to Iran while analyzing the command and control (C&C) servers used by the GHOLE malware. The IP addresses the malware communicates with are hosted by a German company. The IP address ranges appear to belong to an individual named Mehdi Mahdavi who, according to registration data, is based in Iran.

This Mehdi Mahdavi also seems to be linked to a now-defunct e-business solutions provider named Joinebiz. The domain is currently for sale, but when the website was active it claimed that he company had offices in several locations around the world, including Iran.

“This campaign, like the first one the group launched, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran. While motives behind targeted attack campaigns may differ, the end results are one and the same—shift in power control, either economically or politically,” Trend Micro researchers said.

The security firm says Operation Woolen-GoldFish is still active.

“From a technical point of view, the threat actors involved in this campaign are less mature in terms of technical capacity and tactic sophistication compared with other targeted attack groups we are monitoring, yet they are improving and gaining traction,” researchers noted.

The complete research paper, Operation Woolen-GoldFish: When Kittens Go Phishing, is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...