CopyKittens: Persistent Iranian Cyber Espionage Group
- Suspected Origin
- Iran
- Motivation
- Espionage, Information Theft, Political Motivation
- Aliases
- None documented
- Target Sectors
- Government, Academic, Defense, IT, Media, Municipal Authorities
- Associated Malware
- Matryoshka RAT, TDTESS, Vminst, NetSrv, ZPP, Cobalt Strike, Metasploit, Mimikatz, PowerShell Empire
Overview
CopyKittens, also tracked as G0052 by MITRE ATT&CK and sometimes referred to as Rocket Kittens or Slayer Kitten, is a persistent and highly motivated Iranian cyber espionage group. Active since at least 2013, this threat actor is strongly attributed to Iranian state interests, operating with a primary motivation of information theft and espionage to support geopolitical objectives. Their operations are politically motivated, focusing on intelligence gathering from strategic adversaries and targets.
The group has consistently targeted countries perceived as adversaries or of strategic interest to Iran, including Israel, Saudi Arabia, Turkey, the United States, Jordan, and Germany. Their victimology extends across critical sectors such as government institutions (specifically ministries of foreign affairs and defense contractors), academic organizations, defense companies, large IT firms, and even municipal authorities. Notably, UN employees have also fallen victim to their operations. CopyKittens often exhibits a “greedy” approach once inside a network, indiscriminately exfiltrating significant volumes of documents, spreadsheets, personal data, configuration files, and databases.
Tactics & Techniques
CopyKittens employs a varied and adaptive set of tactics, techniques, and procedures (TTPs) for initial access, persistence, and data exfiltration, frequently blending custom tools with readily available commercial and open-source hacking utilities.
Their initial access methods are primarily focused on social engineering and exploiting vulnerable public-facing assets. Spear phishing remains a prevalent technique, often leveraging malicious attachments or links that direct victims to attacker-controlled websites hosting exploits. Watering hole attacks are another favored tactic, where the group compromises legitimate and strategically chosen websites—such as reputable news outlets like The Jerusalem Post and Maariv news—to inject malicious JavaScript or redirect unsuspecting visitors to exploit kits. They have also been observed exploiting vulnerabilities in public-facing applications and weaponizing Microsoft Office documents, including leveraging flaws like CVE-2017-0199, embedded OLE objects, or malicious macros, to gain initial footholds. Fake social media profiles, particularly on platforms like Facebook, are instrumental for social engineering, building trust with targets, and disseminating malicious links.
Once initial access is achieved, CopyKittens focuses on execution, persistence, and privilege escalation. They utilize PowerShell Empire for post-exploitation activities and have been known to execute tools via rundll32. Persistence is often maintained through webshells and leveraging frameworks like EmpireProject. For defense evasion, the group employs techniques such as concealing PowerShell windows with -w hidden or -windowstyle hidden commands and has even used stolen digital certificates from legitimate companies, like AI Squared, to sign their executables. Their use of commercial penetration testing tools like Cobalt Strike and Metasploit also helps them blend in with legitimate network traffic, making detection challenging.
Credential access is a key objective, achieved through techniques like credential harvesting and the use of tools such as Mimikatz for dumping credentials. For reconnaissance and discovery, they scan for vulnerabilities in internet-facing web servers using tools like Havij, Acunetix, and sqlmap. Lateral movement within compromised networks is facilitated by custom tools like Vminst and commonly available ones like Cobalt Strike and Metasploit.
Command and Control (C2) communication often relies on DNS tunneling, and they establish C2 channels using tools like Cobalt Strike and Empire. Their infrastructure has included domains impersonating major technology companies such as Microsoft, Google, Amazon, Facebook, and Oracle to host malicious sites and maintain C2. For data exfiltration, CopyKittens is known to indiscriminately collect vast amounts of sensitive data. They compress files using their custom ZPP (.NET console program) and encrypt data with a substitute cipher before exfiltration, often leveraging DNS for data egress.
Notable Campaigns
The most extensively documented operation attributed to CopyKittens is Operation Wilted Tulip. This large-scale cyber espionage campaign, first publicly detailed in 2017 by ClearSky and Trend Micro, encompassed a wide range of activities stretching back to at least 2013. The campaign’s scope involved targeting government, academic, defense, and IT organizations across multiple countries.
As part of Operation Wilted Tulip, CopyKittens was responsible for the compromise of The Jerusalem Post and other Israeli media and organizational websites between October 2016 and January 2017. These sites were weaponized as watering holes to deliver malware to visitors, including, in one instance, members of the German Bundestag. Another notable incident involved the breach of an IT company, which CopyKittens then leveraged to gain VPN access to the client organizations of that company, enabling further network intrusions.
The operations demonstrate the group’s persistent targeting and willingness to use multiple infection vectors until a beachhead is established, often pivoting to higher-value targets within a compromised network.
Associated Malware & Tools
CopyKittens relies on a mix of self-developed malware and commonly available penetration testing tools to conduct its operations:
Custom Malware:
- Matryoshka RAT (v1 and v2): A self-developed remote access trojan that uses DNS for command and control, capable of stealing passwords, capturing screenshots, logging keystrokes, and exfiltrating files.
- TDTESS Backdoor: A .NET binary backdoor used for persistent communication with command and control servers.
- Vminst: A lateral movement tool.
- NetSrv: A loader specifically designed for Cobalt Strike.
- ZPP: A .NET console program used for compressing collected files into ZIP archives prior to exfiltration.
Commercial/Public Tools:
- Cobalt Strike: Frequently used, often the trial version, for adversary simulations, red team operations, and post-exploitation activities, including lateral movement and C2.
- Metasploit: A well-known framework for developing and executing exploit code, used for post-exploitation.
- Mimikatz: A post-exploitation tool primarily used for credential dumping.
- PowerShell Empire: A PowerShell and Python-based post-exploitation agent.
- Web Vulnerability Scanners/SQLi Tools: Including Havij, Acunetix, and sqlmap, used for detecting and exploiting internet-facing web servers.
- AirVPN: Used for operational activity to obscure their origin.
Current Status
As of mid-2026, the specific current activity status of CopyKittens (G0052) in public reporting is ambiguous. While the group has been consistently tracked as an Iranian cyber espionage entity since at least 2013, the most comprehensive public reporting on their specific campaigns, such as Operation Wilted Tulip, largely dates back to 2017.
A Proofpoint report from early 2020 mentioned CopyKittens as an Iranian group that “since 2013 has been targeting users” in several of their usual target countries, indicating they were still considered an active threat actor at that time. However, there is a lack of detailed, publicly reported campaigns or incidents specifically attributed to CopyKittens since 2020. This does not necessarily mean the group has disbanded or ceased operations, as state-sponsored threat actors often rebrand, adopt new tactics, or reduce their public footprint. Without explicit recent intelligence, their current operational tempo and specific targets beyond 2020 remain publicly unknown. Their established capabilities and historical persistence suggest that the underlying threat from this group, or its evolution, likely continues.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call