Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Groups
  3. Ajax Security Team

Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

ID: G0130
Associated Groups: Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose
Version: 1.0
Created: 14 April 2021
Last Modified: 09 October 2023

Associated Group Descriptions

Name Description
Operation Woolen-Goldfish

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.[2][3]
AjaxTM

[1]
Rocket Kitten

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.[2][4]
Flying Kitten

[5]
Operation Saffron Rose

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[2]
Enterprise T1105 Ingress Tool Transfer

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[2]
Enterprise T1056 .001 Input Capture: Keylogging

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ajax Security Team has used personalized spearphishing attachments.[2]
.003 Phishing: Spearphishing via Service

Ajax Security Team has used various social media channels to spearphish victims.[1]
Enterprise T1204 .002 User Execution: Malicious File

Ajax Security Team has lured victims into executing malicious files.[1]

Software

ID Name References Techniques
S0224 Havij [2] Exploit Public-Facing Application
S0225 sqlmap [2] Exploit Public-Facing Application

References

  1. Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
  2. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  3. Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.
  1. Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.
  2. Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.