Operation Saffron Rose

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Operation Saffron Rose was a significant cyber threat operation executed by an Iranian threat actor group known as Flying Kitten. The operation, first systematically described in FireEye's report, focused on the deployment of malware to target and infiltrate the defense sector. These malicious activities were characterized by the use of deceptive tactics, such as impersonating legitimate websites and services to trick users into downloading and installing malware. The operation relied heavily on spoofed websites bearing striking resemblances to authentic resources. For instance, an Adobe Flash page hosted on IranianUkNews mirrored another resource from Flying Kitten, namely the "Plugin-Adobe[.]com" domain documented in Operation Saffron Rose. Another notable tactic involved the creation of a fake BBC Persian page (domain: "persian-bbc.co[.]uk") designed to deceive visitors into installing malware under the guise of viewing a video. Central to Operation Saffron Rose was the deployment of a malware agent called "Stealer," a simple keylogger with an easy-to-use builder application. This tool enabled the threat actors to capture keystrokes, providing them with potentially sensitive information. FireEye’s documentation of this operation has been instrumental in understanding the extent and complexity of Iranian intrusion campaigns and recognizing them as persistent threat actors.
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Flying Kitten
1
Flying Kitten is a threat actor that has been tracked and reported on since mid-January 2014, primarily by CrowdStrike Intelligence. The group first came to prominence in November 2013 with its cyber-attack using the domain xn--facebook-06k.com. It continued its malicious activities in March 2014 th
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Operation Saffron Rose Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code
Unit42
a year ago
Chinese Playful Taurus Activity in Iran