🇮🇷

Magic Kitten

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As 2 names

Group 42 VOYEUR

Target Countries 12

Countries highlighted in red

Switzerland Germany Indonesia Israel India Iraq Lebanon Netherlands Pakistan Qatar Sweden Thailand

Sectors Targeted

Grantmaking and Giving Services 8132

Details

Origin 🇮🇷 IR

Last Updated 01 Jun 2022

MITRE ATT&CK 118

T1003 T1003.001 T1005 - Data from Local System T1016 T1016.001 T1016.002 T1018 T1021 T1021.001 T1021.004 - SSH T1027 - Obfuscated Files or Information T1027.010 T1027.013 T1033 T1036 T1036.004 T1036.005 T1036.010 T1046 T1047 T1049 T1053 T1053.005 T1056 T1056.001 - Keylogging T1057 T1059 T1059.001 T1059.003 T1059.005 T1070 T1070.003 T1070.004 T1071 T1071.001 - Web Protocols T1074.002 - Remote Data Staging T1078 T1078.001 T1078.002 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 T1087.003 T1090 T1090.003 - Multi-hop Proxy T1098 T1098.002 T1098.007 T1102 T1102.002 T1105 - Ingress Tool Transfer T1112 T1113 T1114 T1114.001 T1114.002 T1136 T1136.001 T1189 T1190 - Exploit Public-Facing Application T1204 T1204.001 T1204.002 T1218 T1218.011 T1482 T1485 - Data Destruction T1486 T1498 - Network Denial of Service T1505 T1505.003 - Web Shell T1543.003 - Windows Service T1547 T1547.001 T1555.003 - Credentials from Web Browsers T1560 T1560.001 T1562 T1562.001 T1562.002 T1562.004 T1564 T1564.003 T1565.001 - Stored Data Manipulation T1566 T1566.001 T1566.002 T1566.003 T1567 T1570 T1571 T1572 T1573 T1583 T1583.001 T1583.006 T1584 T1584.001 T1585 T1585.001 T1585.002 T1586 T1586.002 T1588 T1588.002 T1589 T1589.001 T1589.002 T1590 T1590.005 T1591 T1591.001 T1592 T1592.002 T1595 T1595.002 T1598 T1598.003

Related Zero-Days 4

CVE-2021-26855 CVE-2021-44228 CVE-2024-21887 CVE-2026-21509

Known Names 2 entries

Magic Kitten CrowdStrike

VOYEUR NSA

Observed Target Countries 12

Based on ETDA data — countries highlighted in red

Germany India Indonesia Iraq Lebanon Netherlands Pakistan Qatar Sweden Switzerland Thailand UAE

Description

(CEIP) In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten. Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active.

Reports & References 2

https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140 https://irancybernews.org/magic-kitten-the-oldest-kitten/

ETDA Profile

Magic Kitten

Origin

Iran

First Seen 2007

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗