analyst @ nohacky :~/threat-actors $
cat / threat-actors / ajax-security-team
analyst@nohacky:~/ajax-security-team.html
dormant profile
type nation-state
threat_level high
status dormant
origin Iran — state-aligned
last_updated 2025-03-27
AS
ajax-security-team

Ajax Security Team

also known as: Flying Kitten Rocket Kitten AjaxTM Operation Saffron Rose Operation Woolen-Goldfish G0130

A textbook example of the Iranian hacktivist-to-APT pipeline: Ajax Security Team began as a publicly active defacement crew before being recruited into targeted espionage around 2014. Operating as Rocket Kitten, the group conducted campaigns against US defense contractors, Israeli institutions, Iranian dissidents, and users of anti-censorship tools — deploying custom Stealer malware via spearphishing and trojanized software. The group's public-facing members were identified by researchers through OPSEC failures including re-used email addresses in domain registration records. Currently assessed as dormant under this tracking designation, with some overlapping activity absorbed into broader Iranian cluster reporting.

attributed origin Iran
suspected sponsor Iranian government (state-aligned; direct control relationship inconclusive)
first observed 2010 (defacement phase); 2014 (espionage phase)
primary motivation Espionage against US DIB and Iranian dissidents; suppression of anti-censorship tool use inside Iran
primary targets US defense industrial base, Israeli institutions, Iranian dissidents, anti-censorship tool users
known campaigns 3 confirmed
mitre att&ck group G0130
target regions US, Israel, Iran, Saudi Arabia, Netherlands
threat level HIGH (historical); reassess if reactivation observed

Overview

Ajax Security Team's origins lie in Iran's hacktivist forum culture. The group's founding members — publicly identified as Keyvan Fayaz (handle: HUrr!c4nE) and Ali Alipur (handle: Cair3x) — cut their teeth on website defacements beginning around 2010, operating on Iranian forums including Ashiyane and Shabgard. These forums served as breeding grounds for nationalist hacktivism, where members built reputations through OpIsrael and OpUSA campaigns. The transition pattern is well-documented in Iranian cyber history: public hacktivist activity attracts the attention of government bodies, who then recruit capable operators for more targeted work.

By 2014 the transition was complete. FireEye's Operation Saffron Rose report, published in May 2014, documented Ajax Security Team's pivot to malware-based espionage targeting US defense industrial base organizations and Iranian citizens using anti-censorship tools such as Proxifier and Psiphon. The dual targeting is operationally significant: DIB espionage serves Iranian state intelligence requirements, while targeting anti-censorship tool users serves domestic repression objectives — monitoring and identifying Iranians who circumvent state internet controls.

As Rocket Kitten, the group expanded its scope considerably. A November 2015 OPSEC failure gave Check Point password-less root access to the group's back-end database, Oyun — an application generating personalized phishing pages with a target list of over 1,842 individuals spanning from June 2014 to June 2015. The geographic distribution of those targets — 18% Saudi Arabia, 17% US, 16% Iran, 8% Netherlands, 5% Israel — reflects a targeting profile consistent with Iranian strategic interests across government, defense, diplomacy, journalism, and human rights sectors. The group is currently assessed as dormant under the Ajax Security Team / Rocket Kitten tracking designation, though code and infrastructure overlaps with other Iranian clusters complicate a definitive cessation assessment.

attribution note

Some vendors list Ajax Security Team as an alias for APT35 / Charming Kitten. MITRE ATT&CK tracks Ajax Security Team as a distinct group (G0130), separate from APT35 (G0059), based on differences in tooling, targeting, and operational profile. This profile follows the MITRE tracking. Analysts should verify which tracking methodology their vendor intelligence uses when correlating alerts.

Target Profile

Ajax Security Team's targeting served two parallel objectives: external espionage aligned with Iranian state intelligence requirements, and internal suppression of dissent and anti-censorship tool use.

  • US defense industrial base: Companies in the aerospace and defense sectors, specifically those involved with US military programs. Initial access lures impersonated the IEEE Aerospace Conference — a real event relevant to the targets' professional contexts — with a fake registration domain (aeroconf2014.org) delivering Stealer malware via a malicious proxy software download prompt.
  • Israeli institutions: Government, military, and research organizations. Targeting consistent with Iranian geopolitical priorities. Israeli nuclear scientists were documented among Rocket Kitten's confirmed targets.
  • Iranian dissidents inside and outside Iran: Individuals using Proxifier, Psiphon, and other anti-censorship tools to bypass Iran's national internet filters. Malware was disguised as legitimate versions of these tools and distributed to users seeking to evade surveillance. 77 victims were identified from a single C2 server analyzed during the FireEye investigation.
  • Saudi Arabia, Netherlands, and broader regional targets: The Rocket Kitten target list recovered from the Oyun database showed concentration in Saudi Arabia (18%) alongside the US, Iran, Netherlands, and Israel — consistent with MOIS or IRGC intelligence collection requirements against regional rivals and diaspora communities.
  • NATO officials and diplomatic targets: Check Point's Rocket Kitten research documented targeting of NATO officials and diplomats, expanding the scope beyond the narrower Saffron Rose targeting profile.
  • Telegram users (2016): In August 2016, Rocket Kitten was attributed with exploiting Telegram's SMS-based verification to compromise accounts and harvest the user IDs and phone numbers of approximately 15 million Iranian Telegram users — a domestic surveillance operation at scale.

Tactics, Techniques & Procedures

Documented TTPs from FireEye's Operation Saffron Rose report (2014), Check Point's Rocket Kitten report (2015), and Trend Micro's Operation Woolen-Goldfish analysis (2015).

mitre id technique description
T1566.002 Spearphishing Link Targets received spearphishing emails and social media messages linking to attacker-controlled domains impersonating legitimate services. Links directed to fake login pages (OWA, VPN portals, conference registration sites) or to pages prompting a malicious software download disguised as a browser update or proxy tool.
T1598.003 Phishing for Information — Spearphishing Link Credential harvesting via spoofed Outlook Web Access and VPN login pages. Domains registered to closely mimic legitimate organizational login portals. Harvested credentials used for follow-on access to email and corporate systems — in some cases the credential phishing page then redirected the victim to a malware download, combining both objectives in a single interaction.
T1204.002 User Execution — Malicious File Stealer malware delivered as a CAB archive requiring manual execution. The CAB extractor drops IntelRS.exe, which installs the backdoor. Anti-censorship tool users targeted with trojanized versions of Proxifier and Psiphon — legitimate software bundled with Stealer, exploiting the targets' trust in tools they actively sought out to bypass censorship.
T1056.001 Input Capture — Keylogging Stealer / IntelRS.exe logs all keystrokes on infected systems, capturing credentials, communications, and other typed content. Keylogger output encrypted and stored temporarily on the victim machine before exfiltration.
T1113 Screen Capture Stealer captures periodic screenshots of the compromised system, providing the operator with visual context on victim activity beyond what keylogging alone captures.
T1071.002 Application Layer Protocol — File Transfer Protocols Stealer exfiltrates collected data to attacker-controlled C2 servers via FTP — a less common C2 channel that may evade HTTP-focused network monitoring. Data is encrypted before transfer.
T1539 Steal Web Session Cookie Stealer harvests browser history, bookmarks, and session data from installed browsers. Combined with keylogging, this provides comprehensive credential and session token coverage across victim web activity.
T1583.001 Acquire Infrastructure — Domains Ajax Security Team registered domains closely mimicking legitimate targets — IEEE conference registrations, organizational VPN portals, and OWA login pages. Infrastructure registration initially used personal email addresses linked to public hacktivist forum accounts — OPSEC failures that allowed researchers to identify the group's founding members by name.
T1036.005 Masquerading — Match Legitimate Name or Location Malware deployed as IntelRS.exe — a name chosen to suggest legitimate Intel software. Anti-censorship tool trojans presented as functional, legitimate versions of Proxifier and Psiphon. Conference lure domain aeroconf2014.org registered to mimic the legitimate IEEE Aerospace Conference domain.

Known Campaigns

Confirmed or highly attributed operations linked to Ajax Security Team and its Rocket Kitten persona.

Operation Saffron Rose 2013–2014

The campaign that publicly named Ajax Security Team as a threat actor, documented by FireEye in May 2014. The group targeted US defense industrial base organizations using a fake IEEE Aerospace Conference registration page (aeroconf2014.org) to deliver Stealer malware. Simultaneously, the group targeted Iranian citizens using anti-censorship tools (Proxifier, Psiphon) with trojanized versions of those tools — 77 victims identified from a single analyzed C2 server. Credential phishing via spoofed OWA and VPN portals ran in parallel. OPSEC failures in domain registration — using personal email addresses traceable to hacktivist forum accounts — allowed researchers to identify founding members Keyvan Fayaz (HUrr!c4nE) and Ali Alipur (Cair3x) by name.

Operation Woolen-Goldfish 2015

Documented by Trend Micro in March 2015 as a continuation and evolution of the Saffron Rose activity cluster under the Rocket Kitten designation. The campaign featured improved spearphishing content quality over earlier operations, targeting individuals across government, academia, and human rights organizations. The combination of credential phishing and malware delivery — sometimes in a single interaction where the credential harvest page redirected to a malware download — represented a capability improvement over Saffron Rose's simpler approach.

Rocket Kitten — 9 Lives Campaign 2014–2015

Check Point's November 2015 report documented Rocket Kitten operations spanning over a year, including a critical OPSEC failure: security errors by the group allowed Check Point to gain password-less root access to Oyun, the group's back-end phishing infrastructure database. The database revealed a personalized phishing page generator and a list of over 1,842 individual targets from June 2014 to June 2015. Confirmed targets included Iranian dissidents, the Saudi royal family, Israeli nuclear scientists, and NATO officials. Geographic breakdown: 18% Saudi Arabia, 17% US, 16% Iran, 8% Netherlands, 5% Israel.

Telegram Account Harvesting 2016

In August 2016, Rocket Kitten was attributed with exploiting Telegram's reliance on SMS-based two-factor verification to compromise accounts at scale. The operation harvested user IDs and phone numbers of approximately 15 million Iranian Telegram users — a domestic surveillance operation providing MOIS with a database of Telegram account holders inside Iran for potential monitoring, identification, and targeting of dissidents and political opponents.

Tools & Malware

Ajax Security Team's toolset was custom-developed and not observed in use by other threat groups at the time of FireEye's disclosure, though the underlying components were not especially sophisticated.

  • Stealer: The group's primary malware family. Delivered as a CAB archive. Capabilities include system information collection (running processes, IP addresses), keylogging, screenshot capture, browser data harvesting (history, bookmarks, session cookies), instant messaging account data collection, and email account harvesting. All collected data is encrypted and temporarily stored on the victim machine before FTP exfiltration to C2 servers. Not publicly available at the time of initial disclosure — custom-developed for Ajax Security Team operations.
  • IntelRS.exe: The backdoor component dropped by the Stealer CAB extractor. Named to suggest legitimate Intel software. Establishes the FTP-based C2 channel and hosts the keylogger and screenshot-grabbing components. Provides persistent access to the compromised system.
  • Trojanized anti-censorship tools: Legitimate copies of Proxifier and Psiphon bundled with Stealer malware. Distributed to Iranian dissidents and censorship circumvention tool users — exploiting the inherent trust these users place in tools they actively sought out. Allowed the group to reach targets who might not respond to conventional spearphishing.
  • Oyun: The group's back-end phishing infrastructure — a web application generating personalized phishing pages for individual targets. Discovered during Check Point's accidental access following a Rocket Kitten OPSEC failure in November 2015. Contained a target database of over 1,842 individuals.
  • Spoofed login pages: Custom phishing pages mimicking Microsoft OWA, VPN portals, and conference registration sites. Some pages served dual purpose — harvesting credentials on entry, then redirecting to malware download prompts. Hosted on attacker-registered lookalike domains.

Indicators of Compromise

Historical indicators from documented Ajax Security Team / Rocket Kitten campaigns. These are primarily of archival and threat hunting reference value given the group's dormant status — infrastructure has long since been burned or recycled.

warning

Infrastructure IOCs from the 2014–2016 campaign period are entirely burned and should not be used for active blocking. The behavioral patterns below are more relevant for historical hunting and understanding the group's methodology in case of reactivation.

behavioral and historical indicators
file IntelRS.exe — backdoor component; name chosen to mimic legitimate Intel software
domain aeroconf2014.org — fake IEEE Aerospace Conference registration lure (burned; historical reference)
network FTP-based C2 exfiltration — encrypted data upload to attacker FTP servers; unusual protocol for APT C2
behavior CAB archive delivery followed by IntelRS.exe execution establishing FTP C2 channel
behavior Credential phishing page immediately redirecting to software download prompt (proxy/browser update) — dual-stage harvest-then-infect pattern
infra parmanpower.com — fake Iraqi recruiting/HR site used as credential harvesting front

Mitigation & Defense

Defensive recommendations based on Ajax Security Team's documented methodology. Given the group's dormant status, these apply primarily if reactivation is observed or for organizations reviewing historical exposure.

  • Train users to verify conference and event registration domains: The IEEE Aerospace Conference lure worked because legitimate-seeming domains were plausible to the target audience. Train employees — especially those in defense, aerospace, and government — to verify conference registration URLs against official event communications before downloading any software or submitting credentials.
  • Block FTP-based exfiltration: Stealer's use of FTP for C2 is atypical. Restrict outbound FTP connections to explicitly approved destinations and alert on FTP traffic originating from workstations rather than dedicated file transfer systems.
  • Enforce MFA on OWA and VPN portals: Credential harvesting via spoofed OWA and VPN login pages was a core Ajax Security Team tactic. MFA on all externally facing authentication portals significantly reduces the value of phished credentials. Phishing-resistant MFA (FIDO2) is preferable.
  • Alert on CAB file execution: Stealer was delivered as a CAB archive requiring execution. CAB file execution outside of software deployment contexts is uncommon and worth alerting on, particularly if followed by new process creation.
  • Warn users about trojanized software risk: Iranian dissidents and users of anti-censorship tools remain at risk from trojanized versions of circumvention tools distributed through unofficial channels. Organizations supporting Iranian civil society or working with Iranian diaspora communities should specifically warn users to obtain Proxifier, Psiphon, and similar tools only from official verified sources.
  • Monitor for lookalike domain registrations: Ajax Security Team registered domains impersonating organizational login portals and legitimate professional conferences. Monitor for newly registered domains typosquatting your organization's login infrastructure or impersonating industry events relevant to your employees.
historical note

Ajax Security Team's public OPSEC failures — real email addresses in domain WHOIS records traceable to Iranian hacktivist forum accounts, and accidental exposure of the Oyun phishing database — make this one of the better-documented cases of Iranian hacktivist-to-APT recruitment. The founding members Keyvan Fayaz and Ali Alipur were publicly named by researchers. The group's evolution from OpIsrael defacements to defense contractor espionage illustrates a recruitment and tasking pattern that has been observed repeatedly across the Iranian threat ecosystem.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile