Rocket Kitten

Rocket Kitten is a recognized threat actor in the cybersecurity world, known for its malicious activities. This group was particularly active in 2016, using domains such as yahoo-drive.signin-useraccount-mail.com and yahoo-reset.signin-useraccount-mail.com to execute their operations. The group's modus operandi had significant similarities with another threat actor, Flying Kitten, especially in their attempts made in August 2014. However, post these incidents, Rocket Kitten became more cautious about its activities, indicating that like Flying Kitten, it too may have disbursed. The Iranian cyberspace has several overlapping threat actors, but there are distinctions among them. Security researchers often associate MOIS-linked teams like MuddyWater and APT35 (Mandiant) with Rocket Kitten. On the other hand, groups like APT42 (Mandiant), Charming Kitten, Imperial Kitten, and Mint Sandstorm (Microsoft) are typically linked with the IRGC. Rocket Kitten has targeted various individuals, including anonymous proxy users, researchers, journalists, and dissidents. It used tools tied to an individual named Yaser Balaghi and others connected to Flying Kitten tools, such as Ishak, which was almost certainly used in attacks attributed to Rocket Kitten. While Rocket Kitten was once the most prolific group, spearphishing attempts have shifted to other operators over time. The group used to leave a predictable trail across campaigns, utilizing certain infrastructure across multiple targets for extended periods. However, after a brief lull in intrusion attempts following the disbandment of Flying Kitten, the group adapted its strategies. Despite public exposure, Rocket Kitten continued its campaigns, demonstrating its resilience. Interestingly, the efforts labeled as Rocket Kitten might not have been uniformly organized, suggesting the existence of different factions within the group.