Operation Saffron Rose

Operation Saffron Rose was a significant cyber threat operation executed by an Iranian threat actor group known as Flying Kitten. The operation, first systematically described in FireEye's report, focused on the deployment of malware to target and infiltrate the defense sector. These malicious activities were characterized by the use of deceptive tactics, such as impersonating legitimate websites and services to trick users into downloading and installing malware. The operation relied heavily on spoofed websites bearing striking resemblances to authentic resources. For instance, an Adobe Flash page hosted on IranianUkNews mirrored another resource from Flying Kitten, namely the "Plugin-Adobe[.]com" domain documented in Operation Saffron Rose. Another notable tactic involved the creation of a fake BBC Persian page (domain: "persian-bbc.co[.]uk") designed to deceive visitors into installing malware under the guise of viewing a video. Central to Operation Saffron Rose was the deployment of a malware agent called "Stealer," a simple keylogger with an easy-to-use builder application. This tool enabled the threat actors to capture keystrokes, providing them with potentially sensitive information. FireEye’s documentation of this operation has been instrumental in understanding the extent and complexity of Iranian intrusion campaigns and recognizing them as persistent threat actors.