Copy Kittens
Copy Kittens, also known as Slayer Kitten, is an Iranian cyberespionage group active since at least 2013. Affiliated with Iranian state interests, the group employs advanced tactics, techniques, and procedures (TTPs) to target governments, IT, and media sectors globally. Their campaigns, such as Operation Wilted Tulip, highlight their focus on information theft and espionage.
Copy Kittens
Country of Origin
Members
Leadership
Copy Kittens TTPs
Tactics
The group primarily focuses on information theft, espionage, and enabling ransomware attacks. Their targets include government entities, IT infrastructure, and media organizations.
Techniques
Copy Kittens exploits vulnerabilities in public-facing applications, uses phishing campaigns, and deploys custom malware like Matryoshka RAT and Cobalt Strike.
Procedures
The group employs social engineering, webshells, and credential harvesting to infiltrate networks. They also leverage tools like EmpireProject and TDTESS for persistence and lateral movement.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
Known IOCs associated with Copy Kittens include:
IPs: 138.68.90.19, 167.99.202.130
Domains: api.gupdate.net, githubapp.net
Malware: Matryoshka RAT, Cobalt Strike
Key Victims
Copy Kittens has targeted organizations in Israel, Saudi Arabia, Turkey, the U.S., and Germany, focusing on defense, education, and government sectors.
Notable Cyberattacks
Operation Wilted Tulip (2013)
Jerusalem Post Breach (2017)
Law Enforcement & Arrests
No arrests have been reported. The group continues to operate with impunity, leveraging state-level resources.
How to Defend Against Copy Kittens
Regularly patch vulnerabilities in public-facing applications.
Monitor for IOCs like suspicious IPs and domains.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Copy Kitten threats with enterprise-grade technology.
