Domestic Kitten (aka APT-C-50), an Iran-based threat group, has been conducting widespread surveillance campaigns targeting over 1,200 individuals. At present, four active campaigns have been discovered by experts that target individuals located in Iran, the U.S., Pakistan, and Afghanistan. These campaigns have been active since 2016.
What has been discovered?
This operation had 10 unique campaigns that targeted over 1,200 individuals with more than 600 successful infections. In addition, it included four active campaigns, and the most recent began in November 2020.
- Initially, targeted victims are lured to install a malicious application by various vectors, such as an Iranian blog site, Telegram channels, and an SMS that contains a link to the malicious application.
- So far, the country-wise count of targeted victims is Iran (251), the U.S. (25), Great Britain (3), Pakistan (19), Afghanistan (8), Turkey (1), and Uzbekistan (2).
- In the recent ‘hass’ campaign, attackers mimic a Tehran-based application - Mohsen Restaurant. In another ‘mmh’ campaign, they mimicked ISIS supporters and an infected version of the Exotic Flowers application from Google Play.
At the beginning of these surveillance campaigns, the attackers were observed to be using the FurBall malware. This is spyware that pretends to be a security application or screen wallpapers.
Despite being discovered in 2018, this campaign continued its extensive surveillance operations. The attacks are focused on the mobile phones of targeted individuals.
- According to intelligence experts, such extensive surveillance operations are carried out by Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence.
- The outcome of these surveillance programs is often used against individuals and groups that could pose a threat to the stability of the Iranian regime.
The recent campaigns show how Iranian-based hackers have refined their technical proficiency and abilities. Thus, experts suggest using up-to-date antivirus applications in a smartphone, a genuine source for downloading applications, and avoiding opening links arriving via SMS or shared on social media applications.