Description
[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)
Techniques Used (TTPs)
- T1560.003 — Archive via Custom Method (collection)
- T1560.001 — Archive via Utility (collection)
- T1059.001 — PowerShell (execution)
- T1090 — Proxy (command-and-control)
- T1218.011 — Rundll32 (defense-evasion)
- T1564.003 — Hidden Window (defense-evasion)
- T1588.002 — Tool (resource-development)
- T1553.002 — Code Signing (defense-evasion)
Total TTPs: 8
Malware & Tools
Malware: Cobalt Strike, Matryoshka, TDTESS
Tools: Empire