ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Domestic Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Domestic Kitten

NamesDomestic Kitten (Check Point)
APT-C-50 (Check Point)
Bouncing Golf (Trend Micro)
CountryIran Iran
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2016
Description(Check Point) Recent investigations by Check Point researchers reveal an extensive and targeted attack that has been taking place since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards their targets. Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.

Considering the nature of the target, the data collected about these groups provides those behind the campaign with highly valuable information that will no doubt be leveraged in further future action against them. Indeed, the malware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more.

The targets are Kurdish and Turkish natives and ISIS supporters.
ObservedCountries: Afghanistan, Iran, Iraq, Pakistan, Turkey, UK, USA, Uzbekistan.
Tools usedFurBall, GolfSpy.
Operations performedJun 2019Mobile Campaign ‘Bouncing Golf’ Affects Middle East
<https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html>
Nov 2020This operation consists of 10 unique campaigns, which have targeted over 1,200 individuals with more than 600 successful infections. It includes 4 currently active campaigns, the most recent of which began in November 2020.
<https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/>
Oct 2022Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
<https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/>
Information<https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0097/>

Last change to this card: 31 December 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]