Ajax Security Team (G0130): An Iranian Cyber Espionage Group
- Suspected Origin
- Iran
- Motivation
- Espionage, Information Theft, Political Dissent Control
- Aliases
- Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose
- Target Sectors
- Defense Industrial Base, Government, Diplomacy, Academia, Journalism, Human Rights, Technology, Energy, Telecommunications
- Associated Malware
- Stealer, FireMalv, Gholee, CWoolger, MPK, BeEF
Overview
The Ajax Security Team, tracked by MITRE ATT&CK as G0130, is a persistent and resourceful threat actor with a suspected nexus to the Iranian government, and potentially the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2010, the group initially focused on website defacement operations, often under the alias “AjaxTM,” notably on Iranian hacker forums like ashiyane[.]org and shabgard[.]org. However, by 2014, Ajax Security Team, also widely known as Rocket Kitten, Flying Kitten, Operation Woolen-Goldfish, and Operation Saffron Rose, transitioned to more sophisticated malware-based cyber espionage campaigns. This shift marked their evolution into an advanced persistent threat (APT) actor, aligning with Iran’s broader strategic objectives of intelligence collection, controlling political dissent, and enhancing its offensive cyber capabilities.
Their primary motivation is espionage and information theft, driven by ideological objectives aligned with Iranian nation-state intelligence interests. This includes monitoring communications, extracting sensitive information, and acquiring proprietary technologies to further Iran’s defense and technological ambitions, such as its missile and space programs. The group’s targeting priorities reflect these motivations, consistently focusing on entities and individuals perceived as threats or valuable assets to Iranian national interests.
Targets are diverse, spanning multiple regions and sectors. Geographically, they have actively targeted organizations and individuals across the Middle East (including Saudi Arabia, Israel, and even within Iran), Europe (e.g., Germany, Netherlands, UK), and the United States. Key target sectors include the US defense industrial base, government entities, diplomatic missions, and academic institutions. They also heavily target civil society, specifically Iranian users of anti-censorship technologies, Iranian dissidents, political opponents, exiles, human rights activists, journalists, researchers, and scholars. Beyond these, they’ve shown interest in broader areas such as diplomacy, international affairs, security and policy research, and even aspects of the construction, entertainment, manufacturing, and IT sectors. Notable specific targets have included the Saudi royal family, Israeli nuclear scientists, and NATO officials.
Tactics & Techniques
Ajax Security Team’s operational methodology heavily relies on sophisticated social engineering and highly persistent spear phishing campaigns. These campaigns are characterized by their tailored nature, often involving personalized attachments or malicious links embedded in emails designed to lure victims into executing malicious files. They frequently employ fake identities, impersonating public figures, individuals of interest, security researchers, or legitimate entities like Google or prominent engineers to build credibility.
A common tactic involves sending malicious Microsoft Office documents, sometimes with embedded macros, or directing victims to download malicious executables disguised as legitimate files (e.g., “Iran’s Missiles Program.ppt.exe”) hosted on cloud storage services like OneDrive to evade email security filters. The group demonstrates considerable patience, often barraging the same chosen targets repeatedly, sometimes on a daily basis and with evolving cover stories, until a victim inadvertently compromises their system. Beyond email, they leverage various social media channels for spear phishing and engagement.
More advanced tactics include watering hole attacks, where they compromise legitimate websites (often exploiting vulnerabilities in outdated CMS platforms like WordPress, Joomla, or Drupal). These compromised sites are then injected with malicious scripts, such as those from the BeEF (Browser Exploitation Framework), to track visitors, steal browser history, or selectively deliver backdoors to high-value targets. They have also exploited vulnerabilities in communication platforms, notably the Telegram messaging service, by leveraging SMS verification weaknesses to compromise accounts and steal user data from Iranian users. The group is known to adapt its tactics and tools in response to public disclosures by security researchers, making minimal changes to bypass existing detections.
Notable Campaigns
The group’s history includes several significant campaigns:
- Operation Saffron Rose (2013): This early operation saw the Ajax Security Team conducting cyber espionage against US defense industrial base companies and Iranian users of anti-censorship tools. This campaign marked a pivotal transition for the group from web defacement to malware-based espionage.
- Operation Woolen-Goldfish (Active mid-2014 to at least early 2015): Identified by Trend Micro and ClearSky, this campaign specifically targeted Israeli and European organizations, including entities in the defense industry, IT sector, government, and academia. It initially involved the distribution of GHOLE malware and later transitioned to the CWoolger keylogger, often delivered via malicious files hosted on OneDrive.
- Targeting US Defense Firms (2014 onwards): The group has consistently focused on US defense companies, particularly those in the aerospace industry, aiming to steal information valuable to Iran’s missile and space programs. One instance involved impersonating the IEEE Aerospace conference with a fake registration website (aeroconf2014[.]org) to trick victims into installing malware.
- Oyun Incident (November 2015): During this period, security errors by Rocket Kitten allowed Check Point researchers to gain password-less root access to “Oyun,” the group’s back-end database, providing rare insight into their operations and a list of over 1,600 targets.
- Telegram Hack (August 2016): Rocket Kitten was implicated in exploiting Telegram’s reliance on SMS verification to compromise over a dozen accounts and extract user IDs and telephone numbers of 15 million Iranians, including opposition activists.
Associated Malware & Tools
Ajax Security Team employs a mix of custom-developed malware and repurposed legitimate tools:
- Stealer: This is a custom-developed spyware designed for data exfiltration, keystroke logging, and taking screenshots. It has been observed collecting credentials from Firefox browser storage, Outlook Web Access (OWA), and VPN logins.
- FireMalv: A custom-.NET-based credential stealer used to pilfer credentials from various storage locations on infected systems.
- Wrapper/Gholee: This custom malware is primarily used to download additional malicious payloads to compromised systems. Notably, Gholee is identified as a modified version of Core Impact, a legitimate penetration testing tool.
- CWoolger (and MPK): These are custom-developed keyloggers, with CWoolger specifically attributed to a developer alias “Wool3n.H4t,” who is believed to be a key member of the group.
- BeEF (Browser Exploitation Framework): The group has incorporated BeEF into its watering hole attacks, using it for tracking, browser identification, and potentially to pop up spoofed login fields for credential theft.
- Oyun and Ishak scripts: “Oyun” refers to a back-end database or possibly a phishing toolkit used by the group, which was compromised in 2015. “Ishak scripts” are rudimentary PHP scripts used in their spear-phishing campaigns, providing access to an archive of source code and operational materials.
Current Status
The Ajax Security Team, under its various aliases like Rocket Kitten (G0130), remains an active and evolving threat. While specific public reporting on new campaigns explicitly named “Rocket Kitten” or “Ajax Security Team” may have decreased in recent years, their persistent tracking by major threat intelligence vendors, with updates as recent as 2025, indicates ongoing activity. MITRE ATT&CK lists them as active since 2010, with their transition to malware-based cyber espionage solidified by 2014.
Security researchers have consistently highlighted their resourcefulness and persistence, noting that despite exposures, the group often makes minimal changes to their tools and infrastructure to continue operations. This adaptability, coupled with their state-sponsored motivations, suggests they continue to pursue Iranian intelligence objectives. It is plausible that, like many established APT groups, they may operate under new, undisclosed aliases or have integrated into broader Iranian cyber operations, making direct attribution to “Ajax Security Team” or “Rocket Kitten” less frequent in recent open-source reporting. Organizations in their typical target sectors and regions should maintain a heightened state of alert for the tactics and techniques associated with this sophisticated and persistent Iranian threat actor.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call