Rocket Kitten

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Rocket Kitten is a recognized threat actor in the cybersecurity world, known for its malicious activities. This group was particularly active in 2016, using domains such as yahoo-drive.signin-useraccount-mail.com and yahoo-reset.signin-useraccount-mail.com to execute their operations. The group's modus operandi had significant similarities with another threat actor, Flying Kitten, especially in their attempts made in August 2014. However, post these incidents, Rocket Kitten became more cautious about its activities, indicating that like Flying Kitten, it too may have disbursed. The Iranian cyberspace has several overlapping threat actors, but there are distinctions among them. Security researchers often associate MOIS-linked teams like MuddyWater and APT35 (Mandiant) with Rocket Kitten. On the other hand, groups like APT42 (Mandiant), Charming Kitten, Imperial Kitten, and Mint Sandstorm (Microsoft) are typically linked with the IRGC. Rocket Kitten has targeted various individuals, including anonymous proxy users, researchers, journalists, and dissidents. It used tools tied to an individual named Yaser Balaghi and others connected to Flying Kitten tools, such as Ishak, which was almost certainly used in attacks attributed to Rocket Kitten. While Rocket Kitten was once the most prolific group, spearphishing attempts have shifted to other operators over time. The group used to leave a predictable trail across campaigns, utilizing certain infrastructure across multiple targets for extended periods. However, after a brief lull in intrusion attempts following the disbandment of Flying Kitten, the group adapted its strategies. Despite public exposure, Rocket Kitten continued its campaigns, demonstrating its resilience. Interestingly, the efforts labeled as Rocket Kitten might not have been uniformly organized, suggesting the existence of different factions within the group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Flying Kitten
1
Flying Kitten is a threat actor that has been tracked and reported on since mid-January 2014, primarily by CrowdStrike Intelligence. The group first came to prominence in November 2013 with its cyber-attack using the domain xn--facebook-06k.com. It continued its malicious activities in March 2014 th
Ishak
1
Ishak is a threat actor that has been used in cyberattacks attributed to the group known as Rocket Kitten. This relationship became apparent around Fall 2015 when Rocket Kitten was the subject of multiple publications, and a shift in behavior was observed. The preference for Ishak scripts over anoth
Oyun
1
Oyun is identified as a threat actor, a term used in cybersecurity to denote an entity that executes actions with malicious intent. This entity has been linked to a set of tools and scripts named after an individual called Yaser Balaghi, including Gholee, Woolger, MPK, and Oyun itself. The shift in
Apt42
1
APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhan
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Qualys
Ransomware
Android
Phishing
Malware
Proxy
Spearphishing
Espionage
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MuddyWaterUnspecified
1
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
APT35Unspecified
1
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Charming KittenUnspecified
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Imperial KittenUnspecified
1
Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rocket Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Iran’s role in Israel-Hamas war largely 'opportunistic'
MITRE
a year ago
Endpoint Protection - Symantec Enterprise
MITRE
a year ago
Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code
CERT-EU
a year ago
Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report