Names | Domestic Kitten (Check Point) APT-C-50 (Check Point) Bouncing Golf (Trend Micro) | |
Country | Iran | |
Sponsor | State-sponsored | |
Motivation | Information theft and espionage | |
First seen | 2016 | |
Description | (Check Point) Recent investigations by Check Point researchers reveal an extensive and targeted attack that has been taking place since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards their targets. Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens. Considering the nature of the target, the data collected about these groups provides those behind the campaign with highly valuable information that will no doubt be leveraged in further future action against them. Indeed, the malware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more. The targets are Kurdish and Turkish natives and ISIS supporters. | |
Observed | Countries: Afghanistan, Iran, Iraq, Pakistan, Turkey, UK, USA, Uzbekistan. | |
Tools used | FurBall, GolfSpy. | |
Operations performed | Jun 2019 | Mobile Campaign ‘Bouncing Golf’ Affects Middle East <https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html> |
Nov 2020 | This operation consists of 10 unique campaigns, which have targeted over 1,200 individuals with more than 600 successful infections. It includes 4 currently active campaigns, the most recent of which began in November 2020. <https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/> | |
Oct 2022 | Domestic Kitten campaign spying on Iranian citizens with new FurBall malware <https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/> | |
Information | <https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0097/> |
Last change to this card: 31 December 2022
Download this actor card in PDF or JSON format
Previous: DNSpionage
Next: Donot Team
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |