ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Magic Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Magic Kitten

NamesMagic Kitten (CrowdStrike)
CountryIran Iran
MotivationInformation theft and espionage
First seen2007
Description(CEIP) In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten.

Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active.
ObservedCountries: Germany, India, Indonesia, Iraq, Lebanon, Netherlands, Pakistan, Qatar, Sweden, Switzerland, Thailand, UAE.
Tools used

Last change to this card: 31 December 2022

Download this actor card in PDF or JSON format

Previous: Subgroup: DEV-0270, Nemesis Kitten
Next: MalKamak

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]