Threat Group Cards: A Threat Actor Encyclopedia

APT group: Magic Kitten

Names	Magic Kitten (CrowdStrike) VOYEUR (NSA)
Country	Iran
Sponsor	State-sponsored
Motivation	Information theft and espionage
First seen	2007
Description	(CEIP) In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten. Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active.
Observed	Countries: Germany, India, Indonesia, Iraq, Lebanon, Netherlands, Pakistan, Qatar, Sweden, Switzerland, Thailand, UAE.
Tools used
Information	<https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140> <https://irancybernews.org/magic-kitten-the-oldest-kitten/>

Last change to this card: 31 December 2022

Download this actor card in PDF or JSON format

Previous: Subgroup: DEV-0270, Nemesis Kitten
Next: MalKamak