Threat Actor Profile

Copy Kittens

Copy Kittens, also known as Slayer Kitten, is an Iranian cyberespionage group active since at least 2013. Affiliated with Iranian state interests, the group employs advanced tactics, techniques, and procedures (TTPs) to target governments, IT, and media sectors globally. Their campaigns, such as Operation Wilted Tulip, highlight their focus on information theft and espionage.

Threat Actor Profile

Copy Kittens

Country of Origin

Copy Kittens is attributed to Iran, with strong evidence linking their operations to Iranian state-sponsored activities.

Members

The exact size and composition of Copy Kittens are unclear. The group operates under aliases such as Slayer Kitten and G0052, indicating a flexible and covert structure.

Leadership

The leadership of Copy Kittens remains unknown. However, their operations suggest a well-organized structure with state-level backing.

Copy Kittens TTPs

Tactics

The group primarily focuses on information theft, espionage, and enabling ransomware attacks. Their targets include government entities, IT infrastructure, and media organizations.

Techniques

Copy Kittens exploits vulnerabilities in public-facing applications, uses phishing campaigns, and deploys custom malware like Matryoshka RAT and Cobalt Strike.

Procedures

The group employs social engineering, webshells, and credential harvesting to infiltrate networks. They also leverage tools like EmpireProject and TDTESS for persistence and lateral movement.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Operation Wilted Tulip (2013)

A large-scale espionage campaign targeting multiple countries.

Jerusalem Post Breach (2017)

Compromise of Israeli media and government websites.

Law Enforcement & Arrests

No arrests have been reported. The group continues to operate with impunity, leveraging state-level resources.

How to Defend Against Copy Kittens

Regularly patch vulnerabilities in public-facing applications.

Monitor for IOCs like suspicious IPs and domains.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.

Try Huntress for Free

Schedule a Demo

References

https://attack.mitre.org/groups/G0052/

https://apt.etda.or.th/cgi-bin/showcard.cgi?g=CopyKittens%2C%20Slayer%20Kitten

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free