Threat Actor Profile
High
APT
Description
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)
Confidence Score
Known Aliases
CopyKittens
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (8)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['CopyKittens'],
'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[CopyKittens](https://attack.mitre.org/groups/G0052) is an '
'Iranian cyber espionage group that has been operating since '
'at least 2013. It has targeted countries including Israel, '
'Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The '
'group is responsible for the campaign known as Operation '
'Wilted Tulip.(Citation: ClearSky CopyKittens March '
'2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: '
'CopyKittens Nov 2015)',
'external_references': [{'external_id': 'G0052',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0052'},
{'description': '(Citation: ClearSky CopyKittens '
'March 2017) (Citation: ClearSky '
'Wilted Tulip July 2017) (Citation: '
'CopyKittens Nov 2015)',
'source_name': 'CopyKittens'},
{'description': 'ClearSky Cyber Security and Trend '
'Micro. (2017, July). Operation '
'Wilted Tulip: Exposing a cyber '
'espionage apparatus. Retrieved '
'August 21, 2017.',
'source_name': 'ClearSky Wilted Tulip July 2017',
'url': 'http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf'},
{'description': 'ClearSky Cyber Security. (2017, '
'March 30). Jerusalem Post and other '
'Israeli websites compromised by '
'Iranian threat agent CopyKitten. '
'Retrieved August 21, 2017.',
'source_name': 'ClearSky CopyKittens March 2017',
'url': 'http://www.clearskysec.com/copykitten-jpost/'},
{'description': 'Minerva Labs LTD and ClearSky Cyber '
'Security. (2015, November 23). '
'CopyKittens Attack Group. Retrieved '
'November 17, 2024.',
'source_name': 'CopyKittens Nov 2015',
'url': 'https://cdn2.hubspot.net/hubfs/1903456/Whitepapers/CopyKittens.pdf'}],
'id': 'intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a',
'modified': '2024-11-17T12:44:07.637Z',
'name': 'CopyKittens',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.6'}