Pulse Detail — Threat Intelligence

PULSE NAME

Ajax Security Team | MITRE ATT&CK Group ID: G0130

WHITE Ajax Security Team eric.ford 2022-09-15 Modified: 2022-10-15

330

IOCs

HIGH VOLUME

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.

actor/ajaxsecurityteam

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1574 T1003 T1071 T1070 T1027 T1056 T1080 T1102 T1105 T1204 T1547 T1553 T1555 T1566

MALWARE FAMILIES

Flying Kitten Ishak GHOLE TSPY_WOOLERG.A. BKDR_GHOLE.B. Detected Gholee Hoffman Rocket Kitten GHolE

Indicators of Compromise (69 / 330 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname CIDR YARA

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	02b04563ef430797051aa13e48971d3490c80636	—	2022-09-15
FileHash-SHA1	0482fc2e332918456b9c97d8a9590781095b2b53	—	2022-09-15
FileHash-SHA1	07a77f8b9f0fcc93504dfba2d7d9d26246e5878f	—	2022-09-15
FileHash-SHA1	0b0cdf47363fd27bccbfba6d47b842e44a365723	—	2022-09-15
FileHash-SHA1	0b880fb3414374dbbf582217ee0288a76c904e9b	—	2022-09-15
FileHash-SHA1	0f4bf1d89d080ed318597754e6d3930f8eec49b0	—	2022-09-15
FileHash-SHA1	1a999a131144afe8cb7316ebb842da4f38101ac5	—	2022-09-15
FileHash-SHA1	22f6a61aa2d490b6a3bc36e93240d05b1e9b956a	—	2022-09-15
FileHash-SHA1	25d3688763e33eac1428622411d6dda1ec13dd43	—	2022-09-15
FileHash-SHA1	2627cdc3324375e6f41f93597a352573e45c0f1e	—	2022-09-15
FileHash-SHA1	29968b0c4157f226761073333ff2e82b588ddf8e	—	2022-09-15
FileHash-SHA1	29d93b156bcfbcecf79c5ba389094796a1ba76ee	—	2022-09-15
FileHash-SHA1	2c3edde41e9386bafef248b71974659543a3d774	—	2022-09-15
FileHash-SHA1	37ad0e426f4c423385f1609561422a947a956398	—	2022-09-15
FileHash-SHA1	46a995df8d9918ca0793404110904479b6adcb9f	—	2022-09-15
FileHash-SHA1	4711f063a0c67fb11c05efdb40424377799efafd	—	2022-09-15
FileHash-SHA1	476489f75fed479f19bac02c79ce1befc62a6633	—	2022-09-15
FileHash-SHA1	47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f	—	2022-09-15
FileHash-SHA1	53340f9a49bc21a9e7267173566f4640376147d9	—	2022-09-15
FileHash-SHA1	58045d7a565f174df8efc0de98d6882675fbb07f	—	2022-09-15
FileHash-SHA1	5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3	—	2022-09-15
FileHash-SHA1	62172eee1a4591bde2658175dd5b8652d5aead2a	—	2022-09-15
FileHash-SHA1	64ba130e627dd85c85d6534e769d239080e068dd	—	2022-09-15
FileHash-SHA1	6571f2b9a0aea89f45899b256458da78ac51e6bb	—	2022-09-15
FileHash-SHA1	694c6a7e76be72a38d240479f7c51177c43ef901	SHA1 of aeb9d12ecbe73bfa91616ebacf24831b	2022-09-15
FileHash-SHA1	6e30d3ef2cd0856ff28adce4cc012853840f6440	—	2022-09-15
FileHash-SHA1	729f9ce76f20822f48dac827c37024fe4ab8ff70	—	2022-09-15
FileHash-SHA1	788d881f3bb2c82e685a98d8f405f375c0ac2162	—	2022-09-15
FileHash-SHA1	7ad0eb113bc575363a058f4bf21dbab8c8f7073a	—	2022-09-15
FileHash-SHA1	7fef48e1303e40110798dfec929ad88f1ad4fbd8	—	2022-09-15
FileHash-SHA1	8074ed48b99968f5d36a494cdeb9f80685beb0f5	—	2022-09-15
FileHash-SHA1	86222ef166474e53f1eb6d7e6701713834e6fee7	—	2022-09-15
FileHash-SHA1	8e1bd64acd8bbe819ac60650eb1fa4f501d330ec	—	2022-09-15
FileHash-SHA1	9579e65e3ae6f03ff7d362be05f9beca07a8b1b3	—	2022-09-15
FileHash-SHA1	a42f1ad2360833baedd2d5f59354c4fc3820c475	—	2022-09-15
FileHash-SHA1	a65b39d3919f15649106a039469013479a31ba4b	—	2022-09-15
FileHash-SHA1	a9245de692c16f90747388c09e9d02c3ee34577e	—	2022-09-15
FileHash-SHA1	ad6c9b003285e01fc6a02148917e95c780c7d751	—	2022-09-15
FileHash-SHA1	ae18bb317909e16f765ba2e88c3d72d648db2798	—	2022-09-15
FileHash-SHA1	b67572a18282e79974dc61fffb8ca3d0f4fca1b0	—	2022-09-15
FileHash-SHA1	b9842058c88170cc45183aaaae4206c74e6c7351	—	2022-09-15
FileHash-SHA1	bacaa8f4de9179dd6591efba1062c88b75d15ba4	SHA1 of 1ceca1757cb652ba7e5b0d45f2038955	2022-09-15
FileHash-SHA1	c1edf6e3a271cf06030cc46cbd90074488c05564	—	2022-09-15
FileHash-SHA1	c485b0d59b28d37a1ac80380b0d7774bdb9d8248	—	2022-09-15
FileHash-SHA1	c6db3e7e723f20ed3bcf4c53fc4748e9591f4c40	—	2022-09-15
FileHash-SHA1	c727b8c43943986a888a0428ae7161ff001bf603	—	2022-09-15
FileHash-SHA1	c8096078f0f6c3fbb6d82c5b00211802168f9cba	—	2022-09-15
FileHash-SHA1	cabdfe7e9920aeaa5eaca7f5415d97f564cdec11	—	2022-09-15
FileHash-SHA1	ce03790d1df81165d092e89a077c495b75a14013	—	2022-09-15
FileHash-SHA1	d3e47da32cc7dd1cb68c938732fdd40084f0f2bf	SHA1 of 54ee31eb1eed79d4ddffd1423d5f5e28	2022-09-15
FileHash-SHA1	d5b2b30fe2d4759c199e3659d561a50f88a7fb2e	—	2022-09-15
FileHash-SHA1	db2b8f49b4e76c2f538a3a6b222c35547c802cef	—	2022-09-15
FileHash-SHA1	e2728cabb35c210599e248d0da9791991e38eb41	—	2022-09-15
FileHash-SHA1	e6964d467bd99e20bfef556d4ad663934407fd7b	—	2022-09-15
FileHash-SHA1	e8dbcde49c7f760165ebb0cb3452e4f1c24981f5	—	2022-09-15
FileHash-SHA1	eb6a21585899e702fc23b290d449af846123845f	—	2022-09-15
FileHash-SHA1	ec692cf82aef16cf61574b5d15e5c5f8135df288	—	2022-09-15
FileHash-SHA1	ed5615ffb5578f1adee66f571ec65a992c033a50	—	2022-09-15
FileHash-SHA1	eeb67e663b2fa980c6b228fc2e04304c8992401d	—	2022-09-15
FileHash-SHA1	efd1c6a926095d36108177045db9ad21df926a6e	—	2022-09-15
FileHash-SHA1	f2ed8cd0154ae4d6ecf52a0bcf5fa80c7095dcd2	—	2022-09-15
FileHash-SHA1	f51de6c25ff8e1d9783ed5ac13a53d1c0ea3ef33	—	2022-09-15
FileHash-SHA1	f710bd9ea40fd94c06d704c00e16a5941544378f	—	2022-09-15
FileHash-SHA1	f7f69c5ed94a03f6d57e9afd33c2627ff69205f2	—	2022-09-15
FileHash-SHA1	fa5b587ceb5d17f26fe580aca6c02ff2e20ad3c4	—	2022-09-15
FileHash-SHA1	faf0fe422259d36494a0b2c9ccefe40dee978f31	—	2022-09-15
FileHash-SHA1	fd8793ce4ca23988562794b098b9ed20754f8a90	—	2022-09-15
FileHash-SHA1	fe3436294f302a93fbac389291dd20b41b038cba	—	2022-09-15
FileHash-SHA1	ffead364ae7a692afec91740d24649396e0fa981	—	2022-09-15

References (4)

↗ https://attack.mitre.org/groups/G0130/ ↗ https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs ↗ https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/ ↗ https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/