The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolySwarm 2022 Recap - Threat Actor Activity Highlights: Iran

Dec 19, 2022 2:03:57 PM / by PolySwarm Tech Team

Threat Bulletin -

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report highlights activity perpetrated by Iran-based threat actors in 2022.

Key Takeaways

  • This report provides highlights of activity perpetrated by Iran-based threat actors in 2022.
  • Threat actors featured in this report include Static Kitten, Charming Kitten, Siamese Kitten, Fox Kitten, Helix Kitten, Nemesis Kitten, Refined Kitten, Moses Staff, Cobalt Mirage, and APT42. 
  • PolySwarm tracked malware associated with multiple Iran nexus threat actors in 2022. 
2022 Iran Nexus Threat Actor Activity

Static Kitten

Static Kitten, also known as MuddyWater, is an Iran nexus threat actor group. The group has historically targeted entities in the Middle East but has been known to target other regions as well. Muddy Water primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Static Kitten has been very active in 2022.

  • In January, a Static Kitten campaign targeted Turkish entities using maldocs and executable-based infection chains. 
  • In February, CISA warned of a Static Kitten campaign targeting government and commercial networks worldwide. 
  • In late 2022, Static Kitten was observed using new TTPs to target entities in Armenia, Azerbaijan, Egypt, Iraq, Jordan, Israel, Oman, Qatar, Tajikistan, and UAE. Verticals targeted in this campaign included technology, hospitality, and others. In this campaign, Static Kitten used a new RAT named Syncro.
Charming Kitten

Charming Kitten, also known as APT35, Phosphorus, Newscaster, TA453, Cobalt Illusion, Magic Hound, and ITG18, is an Iran nexus state-sponsored threat actor group tentatively linked to the Islamic Revolutionary Guard Corps (IRGC). Charming Kitten has previously targeted government and military personnel, academics, journalists, and the World Health Organization. The group’s targets have primarily been the US and the Middle East. Charming Kitten has been active since at least 2014.

  • In August, industry researchers reported on a Charming Kitten campaign using a data extraction tool called Hyperscrape. The campaign, active since 2020, targeted user data from Gmail, Yahoo, and Outlook accounts using previously harvested credentials.
Siamese Kitten

Siamese Kitten, also known as Hexane, Lyceum, and Spirlin, is an Iran nexus threat actor group active since at least 2017. The group typically targets energy and telecommunications organizations in the Middle East and Africa.

  •  In June, a campaign was observed using a .NET DNS backdoor known as DNS System. Industry researchers attributed the activity to Siamese Kitten. The .NET DNS backdoor is delivered via a macro-enabled malicious Word document masquerading as a news report on military affairs.
Fox Kitten

Fox Kitten, also known as Parisite, Pioneer Kitten, Rubidium, and UNC757, has been active since at least 2017. The group is likely state-sponsored and focuses on espionage and targeting the energy sector. Industry researchers noted operational overlap with several other Iran nexus APT groups, including OilRig, Elfin, and Chafer.

  • Fox Kitten remained a threat to the energy sector in 2022.
Helix Kitten

Helix Kitten, also known as Chrysene, Greenbug, OilRig, and APT34, has been active in its current form since 2017. The group played a role in the 2012 Shamoon attack. Helix Kitten specializes in gaining initial access to a target and passing the victim to another group for further operations. Helix Kitten is also known to target government organizations in Lebanon.

  • In April, Helix Kitten was observed using a new backdoor dubbed Saitama in a campaign targeting a Jordanian government official.
Nemesis Kitten

Nemesis Kitten, also known as Phosphorus, Bentonite, and UNC2448, is an Iran nexus threat actor group active since at least 2020. Nemesis Kitten is known for conducting ransomware attacks leveraging BitLocker and DiskCryptor. The group has also engaged in espionage activity. Nemesis Kitten is known to target multiple sectors, including the energy sector. They have specifically targeted nuclear energy entities as well.

  • The US Treasury sanctioned Iranian threat actors linked to Nemesis Kitten earlier this year. 
  • In mid-2022, Nemesis Kitten was observed abusing the BitLocker feature in Windows to encrypt victim machines.
Refined Kitten

Refined Kitten, also known as APT33, Elfin, Magnalium, and Holmium, is an Iran nexus threat actor group with potential ties to the IRGC. The group has been active since at least 2013. Refined Kitten activity is focused on gathering intelligence. They typically target the aerospace, defense, energy, and ONG entities in Saudi Arabia, the US, and UAE.

  • Refined Kitten continued to be a threat to the energy sector in 2022.
Moses Staff

Moses Staff, an Iran nexus threat actor group, primarily targets entities located in Israel. The group appears to be politically motivated. It is unclear whether they are state-sponsored or merely a hacktivist group. To date, most of their activity has focused on data leaks and espionage. In the past, they have used ransomware primarily for disruption rather than financial gain.

  • In 2022, Moses Staff targeted the Israel electric sector, leaking data stolen from three organizations. These organizations are Dorad, a large power plant operator; Israel Electric Corporation (IEC), Israel’s largest electrical power provider; and Reali Technologies, a commercial vendor of cloud-based SCADA systems.
Cobalt Mirage

Cobalt Mirage is an Iran nexus threat actor group that typically conducts espionage campaigns and financially motivated attacks.

  • In mid 2022, Cobalt Mirage launched a campaign using ransomware to target US companies. Later in the year, Cobalt Mirage was observed exploiting ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). The threat actors deployed multiple webshells and TunnelFish. They also enabled the DefaultAccount with a password known to be used by the group and launched BitLocker to encrypt servers.

Iran nexus threat actor group APT42 is an IRGC-linked entity.

  • APT42 was recently observed targeting activists, journalists, and political entities in the Middle East. The group targeted at least 20 individuals in this campaign, compromising victim email, cloud storage, calendars, contacts, and other sensitive data. Targets included a correspondent for a US newspaper, a women’s rights advocate, and an advocate for Refugees International. APT42 used social engineering tactics to contact the victims via WhatsApp, pretending to invite them to a conference and tricking them into clicking a URL for a phishing page that harvested their credentials. The phishing page also had adversary in the middle capabilities, making it possible for the threat actors to obtain the victim’s 2FA codes. The campaign lasted from mid-September to late November.
Tracking Iran Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following Iran nexus threat actors in 2022:
  • Siamese Kitten
  • Charming Kitten
  • Fox Kitten
  • Static Kitten
  • Nemesis Kitten
  • Refined Kitten

 Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Middle East, Iran, 2022 Recap, MENA

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts