CopyKittens | Threat Actor Profile

An Iran-linked espionage group profiled jointly by ClearSky and Trend Micro, notable for succeeding despite relatively unsophisticated tradecraft. Active since at least 2013, CopyKittens targeted government organizations, academic institutions, defense companies, and NGOs across Israel, Saudi Arabia, Turkey, Jordan, the US, and Germany. Operation Wilted Tulip documented the group's most operationally distinctive technique: gaining access to one email account inside a target organization, then waiting for natural conversation threads to develop before inserting a malicious link into a reply — a trusted-context attack that bypasses conventional suspicion. The group's persistence across multiple access vectors, combined with a willingness to use commercially available offensive tools alongside custom malware, made it consistently effective despite an observable lack of stealth.

attributed origin Iran

suspected sponsor Iranian state (direct agency link inconclusive; targeting consistent with MOIS/IRGC priorities)

first observed 2013

primary motivation Espionage — bulk document and data theft from government, defense, and academic targets

primary targets Government (MFA), defense contractors, academic institutions, large IT firms, UN employees

known campaigns 4+ confirmed

mitre att&ck group G0052

target regions Israel, Saudi Arabia, Turkey, US, Jordan, Germany; occasional UN-affiliated targets globally

threat level HIGH

Overview

CopyKittens was first publicly documented in November 2015 by ClearSky and Minerva Labs, though the group had been operating since at least 2013. The name derives from the group's operational approach: rather than developing highly sophisticated original tooling, the group assembled its capabilities from existing malware components, modified commercial offensive tools, and publicly available exploitation frameworks — building an effective toolkit through adaptation rather than innovation.

The definitive public account of the group came in July 2017 with Operation Wilted Tulip — a joint report by ClearSky and Trend Micro that documented four years of espionage activity in detail. The report described CopyKittens as "very persistent, despite lacking technological sophistication and operational discipline" — a characterization that captures the group's defining quality. The attackers would often get greedy after achieving initial access, infecting multiple computers across a breached network simultaneously. This noisy behavior frequently triggered defensive systems and initiated incident response — yet the group continued operating across multiple vectors and platforms until it achieved its intelligence objectives, and across multiple years without ceasing operations despite repeated exposure.

The group's infrastructure was primarily hosted in the US, Russia, and the Netherlands, and it used DNS as a command and control channel — a technique implemented both in its custom Matryoshka RAT and in its use of Cobalt Strike, which helped blend C2 traffic with legitimate DNS queries. The objective across all documented operations was consistent: acquiring large volumes of documents, spreadsheets, personal data files, configuration files, and databases from high-value targets aligned with Iranian strategic intelligence interests.

analyst note

CopyKittens is a useful case study in why sophistication is not a reliable predictor of threat impact. The group succeeded for years across multiple countries while exhibiting poor OPSEC and noisy post-compromise behavior — because persistence across multiple access vectors and a willingness to repeatedly retry compromised targets compensated for individual operational failures. Organizations should not deprioritize monitoring for less sophisticated threat actors.

Target Profile

CopyKittens targeted sectors and geographies consistent with Iranian strategic intelligence requirements, with a particular emphasis on diplomatic, defense, and academic organizations.

Ministries of Foreign Affairs: A primary target category across multiple countries. A Turkish Republic of Northern Cyprus MFA employee account was compromised in April 2017 and used to send weaponized documents to foreign affairs ministries globally — exploiting the trust inherent in known diplomatic correspondence.
Defense contractors and MoD subcontractors: Defense companies and subcontractors of Ministries of Defense across target countries, pursued for classified program data, procurement information, and military technology.
Academic institutions: Universities and research organizations targeted for research data, faculty credentials, and as stepping stones to higher-value connected networks.
Large IT companies: Major technology firms targeted as a supply chain access vector — compromising an IT provider creates potential downstream access to all of its clients.
Municipal authorities: Local and regional government organizations targeted for PII, administrative data, and potential lateral access into national government systems.
UN employees and NGOs: United Nations staff and associated international organizations targeted for diplomatic intelligence and policy deliberations.
Media organizations: The Jerusalem Post, Maariv news, and IDF Disabled Veterans Organization were among the websites compromised and weaponized as watering hole delivery platforms — both as a means to reach target audiences and as part of information operations against Israeli institutions.

Tactics, Techniques & Procedures

Documented TTPs from the 2015 ClearSky/Minerva Labs report and the 2017 Operation Wilted Tulip joint report by ClearSky and Trend Micro.

mitre id	technique	description
T1566.001	Spearphishing Attachment	Weaponized Microsoft Office documents delivered as email attachments — including exploitation of CVE-2017-0199 (a zero-day at the time of some campaigns). Documents contain malicious macros prompting the victim to enable content, or embedded executables. Matryoshka RAT is a primary spearphishing payload.
T1566.002	Spearphishing Link	Emailed links to attacker-controlled websites hosting known exploits. Facebook profiles (fake personas including "Amanda Morgan," "Erik Brown") used to spread malicious links impersonating Israeli news outlets such as Haaretz — a haarettz.co[.]il typosquatting domain used to build social engineering reach among Israeli targets.
T1534	Internal Spearphishing	The group's most operationally distinctive technique. After compromising an email account inside a target organization, CopyKittens waits for natural conversation threads to develop between the compromised account and high-value contacts, then inserts a malicious link into an existing reply — bypassing suspicion because the message arrives from a known contact in an ongoing real conversation. Documented with the Turkish Northern Cyprus MFA account, used to reach foreign affairs ministries globally.
T1189	Drive-by Compromise	Watering hole attacks via JavaScript injection into compromised strategic websites — including The Jerusalem Post, Maariv news, and the IDF Disabled Veterans Organization. The BSI (Germany's Federal Office for Information Security) issued a specific alert regarding the Jerusalem Post compromise. JavaScript code performed information gathering and social engineering, asking visitors to install malware or submit credentials.
T1190	Exploit Public-Facing Application	Web servers of target organizations scanned and exploited using Havij (SQL injection), sqlmap, and Acunetix. Web-based exploitation used as a parallel initial access pathway alongside spearphishing and watering holes — the group combined all three vectors persistently against the same targets until achieving infection.
T1071.004	Application Layer Protocol — DNS	DNS used as the C2 channel for Matryoshka RAT and configured Cobalt Strike deployments. DNS-based C2 and data exfiltration blends malicious traffic with legitimate DNS queries, reducing detection likelihood in environments without DNS traffic inspection. Infrastructure primarily hosted in the US, Russia, and the Netherlands.
T1059.001	Command and Scripting Interpreter — PowerShell	Empire post-exploitation framework used for PowerShell-based post-compromise operations including lateral movement, persistence, and data collection. Empire provides an encrypted C2 channel and a broad set of modules for post-exploitation tasks without requiring additional malware deployment.
T1021.001	Remote Services — RDP	Vminst lateral movement tool used to move across compromised networks. Combined with RDP and legitimate administrative protocols for internal traversal after initial foothold. The group's non-stealthy lateral movement — infecting multiple systems simultaneously — is the primary behavioral indicator triggering detection.
T1003	OS Credential Dumping	Mimikatz deployed post-compromise for credential harvesting. Harvested credentials used for lateral movement to higher-value systems and for accessing additional email accounts — which are then used for further trusted-context spearphishing operations against the compromised organization's contacts.
T1560	Archive Collected Data	ZPP (a custom files compression console program) used to archive collected data before exfiltration. The objective across all campaigns was bulk collection of documents, spreadsheets, PII files, configuration files, and databases — ZPP enabled efficient staging of large data volumes for transfer.

Known Campaigns

Confirmed or highly attributed operations linked to CopyKittens across its operational history.

Initial Israeli Targeting Campaign 2013–2015

CopyKittens' founding campaign set, first documented by ClearSky and Minerva Labs in November 2015. Initially focused primarily on Israeli individuals including diplomats and researchers, delivered via spearphishing with Matryoshka v1 RAT payloads. Fake Facebook personas including "Amanda Morgan" and "Erik Brown" were used to spread links to a website impersonating Haaretz news (haarettz.co[.]il) and to build trust networks among Israeli targets. Amanda Morgan remained active as late as the 2017 report, with thousands of followers. ClearSky also detected 550 targets in a concurrent Rocket Kitten/CopyKittens campaign in 2015, most located in the Middle East.

German Bundestag Watering Hole 2017

Members of the German Bundestag were compromised via watering hole attacks embedded in legitimate websites — JavaScript code injected into multiple sites redirected Bundestag members to exploit-hosting pages. The compromise prompted ClearSky to publish a dedicated report in March 2017, and the German Federal Office for Information Security (BSI) issued a public alert specifically citing the Jerusalem Post watering hole as a threat to German users visiting the site.

Turkish MFA Account Hijack — Global MFA Targeting 2017

In April 2017, CopyKittens breached an email account belonging to an employee of the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus. Rather than immediately deploying malware, the group waited for natural diplomatic correspondence to develop, then used the compromised account to send weaponized documents to foreign affairs ministries across multiple countries — exploiting the trust inherent in diplomatic email chains from a known sender. A document likely stolen from the Turkish Ministry of Foreign Affairs was also used as a decoy lure in related operations.

Operation Wilted Tulip — Broad Espionage Campaign 2013–2017

The comprehensive designation applied by ClearSky and Trend Micro to CopyKittens' entire four-year operational span, documented in the July 2017 joint report. The campaign encompassed all documented targets across Israel, Saudi Arabia, Turkey, US, Jordan, and Germany, using the full range of the group's tools and access methods. Targets included government MFA offices, defense contractors, MoD subcontractors, universities, municipal authorities, large IT companies, and UN employees. The report introduced previously undocumented custom tools (TDTESS, Vminst, NetSrv, ZPP) and Matryoshka v2 alongside the full infrastructure analysis. C2 infrastructure was primarily based in the US, Russia, and the Netherlands.

Tools & Malware

CopyKittens employed a layered toolkit combining custom-developed malware, modified commercial offensive tools, and publicly available exploitation frameworks. The group's name reflects its approach: assembling capabilities from existing components rather than developing them from scratch.

Matryoshka RAT (v1 and v2): CopyKittens' primary custom remote access trojan, named for its multi-stage framework. Uses DNS for C2 communication and data exfiltration — a channel that blends with legitimate traffic and evades HTTP-focused monitoring. Capabilities include password theft, screenshot capture, keylogging, file collection and upload, and Meterpreter shell access. Spread via spearphishing with malicious macro documents or embedded executables. Version 2 introduced updated functionality while maintaining the same general architecture. First analyzed in 2015; observed in the wild through at least January 2017.
TDTESS: A custom .NET binary backdoor introduced in Operation Wilted Tulip reporting. Provides persistent backdoor access to compromised systems with C2 communication capabilities. Not publicly reported prior to the 2017 ClearSky/Trend Micro report.
Vminst: A custom lateral movement tool used to traverse compromised networks after initial access. Used alongside RDP and other legitimate administrative protocols for internal movement.
NetSrv: A custom Cobalt Strike loader. Used to establish Cobalt Strike beacon sessions on compromised hosts — combining the group's custom infrastructure with Cobalt Strike's extensive post-exploitation capability set.
ZPP: A custom files compression console program used to archive collected data before exfiltration. Enables efficient staging of large document and database collections for transfer to C2 servers.
Cobalt Strike (trial version): CopyKittens used the commercial trial version of Cobalt Strike for adversary simulation and post-exploitation. DNS-based C2 configured in Cobalt Strike matched the group's preference for DNS tunneling as a covert channel.
Metasploit: Open-source exploitation framework used for remote exploitation of identified vulnerabilities in target systems.
Empire: PowerShell and Python post-exploitation agent used for post-compromise operations including privilege escalation, lateral movement, and data collection via an encrypted C2 channel.
Mimikatz: Credential dumping tool deployed post-compromise to harvest account credentials for lateral movement and email account access.
Havij, sqlmap, Acunetix: Automated SQL injection and vulnerability scanning tools used to identify and exploit internet-facing web servers of target organizations — providing a web exploitation pathway parallel to spearphishing.

Indicators of Compromise

Behavioral indicators from documented CopyKittens campaigns. Specific infrastructure IOCs from the 2013–2017 operational period are largely burned; the behavioral patterns below are more durable for detection engineering.

warning

CopyKittens' C2 infrastructure was primarily hosted in the US, Russia, and the Netherlands — geographic regions also used by legitimate services. IP-based blocking against this group has high false-positive risk. Focus detection on behavioral indicators, particularly the DNS-based C2 patterns and the noisy lateral movement signature.

behavioral indicators of compromise

network High-volume or unusual DNS query patterns from workstations — particularly TXT or CNAME records to non-standard domains (Matryoshka and Cobalt Strike DNS C2)

behavior Rapid lateral movement immediately after initial compromise — simultaneous infection of multiple systems across the network, triggering multiple concurrent EDR or AV alerts

email Malicious link or attachment delivered from a known internal sender in reply to an ongoing legitimate email thread — trusted-context internal spearphishing pattern

process ZPP.exe execution creating large compressed archives in temp or user directories containing documents, spreadsheets, or database files — pre-exfiltration staging

web Injected JavaScript in legitimate website pages performing credential harvesting or redirecting visitors to exploit-hosting domains (watering hole indicator)

tool Havij.exe, sqlmap execution, or Acunetix scans originating from internal hosts — web exploitation tooling running from inside the network post-compromise

process Mimikatz execution or LSASS memory access by non-system processes — credential harvesting activity preceding lateral movement phase

Mitigation & Defense

Recommended defensive measures for organizations in CopyKittens' target profile — primarily government, defense, and academic institutions in regions of Iranian strategic interest.

Enforce MFA on all webmail and email access: CopyKittens' trusted-context internal spearphishing technique relies on compromising a single email account and using it as a launch point. MFA on all webmail (OWA, Google Workspace, and similar) significantly raises the cost of that initial account compromise. Phishing-resistant MFA is preferable — the group uses social engineering lures that could defeat push-based MFA.
Implement DNS traffic inspection and filtering: Matryoshka RAT and Cobalt Strike DNS C2 both use DNS as the exfiltration and command channel. DNS traffic inspection at the network boundary — alerting on unusual TXT record queries, high-volume DNS to unfamiliar domains, and non-standard query patterns from workstations — is the most targeted detection control for this group's C2 methodology.
Alert on reply-chain email anomalies: The Turkish MFA trusted-context attack is particularly difficult to detect with content-based filtering. Implement behavioral email analysis that flags messages from internal accounts that contain links or attachments not seen in prior correspondence from that sender, or that arrive at unusual times relative to the account's normal usage patterns. User training on internal spearphishing is also essential — employees should be conditioned to verify unexpected attachments even from known contacts.
Patch internet-facing applications promptly: CopyKittens used Havij, sqlmap, and Acunetix for web exploitation alongside spearphishing — maintaining a parallel non-email entry path. Regular vulnerability scanning of externally accessible applications and prompt patching (particularly for CVEs with available public exploit code) removes this vector.
Monitor lateral movement tooling: CopyKittens' noisy simultaneous infection of multiple hosts after initial compromise is a reliable detection signal. Alert on Empire, Mimikatz, and ZPP execution; monitor for unusual RDP connections between workstations; and establish baseline behavior for administrative tools to detect abnormal use.
Implement web content integrity monitoring: Watering hole attacks via JavaScript injection into legitimate news and government sites are difficult to prevent at the organizational level, but can be mitigated by monitoring for JavaScript changes on frequently visited third-party sites using Content Security Policy (CSP) reporting and browser-based integrity checks. Organizations can also implement proxy-based filtering that alerts on redirects from known legitimate sites to unfamiliar domains.
Protect webmail credentials specifically: The group targeted OWA and webmail credentials through phishing pages built to mimic organizational login portals. Enforce MFA, implement DMARC/DKIM/SPF to reduce spoofed email effectiveness, and train users to verify login page URLs before entering credentials.
Audit and restrict Office macro execution: Matryoshka RAT and other payloads were delivered via malicious macros in Office documents. Disable macros by default for documents received from external sources, and require digital signatures for macro execution. Microsoft's Attack Surface Reduction rules provide policy-based macro restriction options.

note

CopyKittens' persistence across multiple simultaneous access vectors — spearphishing, watering holes, and web exploitation running concurrently against the same targets — means that patching one vector or training users on one delivery method is insufficient. Effective defense requires controls at all three layers: email, web browsing, and internet-facing application security.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile