3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
CopyKittens

CopyKittens

ID: 34d1c9cfc3e408f1e8ccf910c74e794480795
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Watering Hole
Iran UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. Ref: https://attack.mitre.org/groups/G0052/


Technique Technique name Tactics Evidence
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - CopyKittens has used PowerShell Empire. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - CopyKittens uses ZPP, a .NET console program, to compress files with ZIP. · ref
T1560.003 Archive via Custom Method TA0009
  • Archive Collected Data: Archive via Custom Method - CopyKittens encrypts data with a substitute cipher prior to exfiltration. · ref
T1564.003 Hidden Window TA0005
  • Hide Artifacts: Hidden Window - CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.