Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0052: CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]

EnterpriseG0052GroupObject v1.6 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

CopyKittens is an ATT&CK-tracked Iranian cyber espionage group reported by MITRE as operating since at least 2013 and targeting multiple countries. The practical value for defenders is not a single indicator or platform, but a behavior profile: use of post-exploitation frameworks, custom backdoors, PowerShell, proxying, signed-code abuse, hidden execution, and data archiving before exfiltration. Security leaders should treat this as a validation case for whether the organization can detect and investigate espionage-style intrusions that blend legitimate tools with malware and stealth techniques.

Executive priority

Prioritize this behavior where espionage, sensitive data access, regulated information, or geopolitical exposure would materially affect business continuity, legal obligations, or incident decision-making. The key executive question is whether SOC, IR, identity, endpoint, and network teams can prove visibility across common post-compromise actions: scripted execution, remote administration tooling, suspicious proxy use, code-signing trust abuse, and staged collection. Because MITRE provides no official detection text for this group object, coverage should be demonstrated through control validation and telemetry review rather than assumed from threat-name matching.

Technical view

For SOC and detection engineering, use the associated ATT&CK relationships as validation scope. Confirm monitoring for PowerShell execution on Windows, rundll32 proxy execution, abnormal archive creation or custom packaging behavior, hidden-window or non-interactive execution patterns, and command-and-control traffic routed through proxies. The related software relationships add focus on Cobalt Strike, Empire, TDTESS, and Matryoshka; defenders should validate detections for post-exploitation frameworks and malware-like behaviors without relying only on tool names. Because the group object itself has no specified platforms or tactics, platform assumptions should be drawn only from the related techniques and software and then mapped to the local environment.

Likely telemetry

  • Endpoint process creation and command-line telemetry, especially PowerShell and rundll32 activity
  • PowerShell script block, module, and operational logs where available
  • Endpoint detection telemetry for post-exploitation framework behavior and suspicious child-process chains
  • Network connection, proxy, DNS, and egress logs to identify indirect command-and-control patterns
  • File creation and modification events for compressed, encrypted, or unusually staged archives

Detection direction

  • Validate behavior-based detections rather than relying solely on the CopyKittens name or static indicators from older reporting.
  • Tune PowerShell detections to distinguish legitimate administration from suspicious encoded, remote, or unusual script execution patterns.
  • Review rundll32 allowlisting and monitoring gaps, since signed Windows binaries can be abused for proxy execution.
  • Correlate archive creation with sensitive file access, unusual staging directories, and outbound network activity.
  • Investigate proxy-like egress behavior, especially unusual intermediaries or network paths that obscure direct external communication.

Mitigation priorities

  • Establish baseline logging first: endpoint process telemetry, PowerShell logging, network egress visibility, and file/archive monitoring.
  • Constrain and monitor script execution, administrative tooling, and living-off-the-land binaries according to business need.
  • Harden egress controls and proxy monitoring so command-and-control via intermediaries is not invisible.
  • Review code-signing trust decisions and certificate reputation processes; signed code should not be automatically trusted without behavioral context.
  • Limit unnecessary compression, staging, and bulk data movement from sensitive systems through policy, monitoring, and access controls.
Analyst notes and limits

This take is based on the official ATT&CK group description, external references, and listed relationships. CopyKittens is described by MITRE as an Iranian cyber espionage group associated with Operation Wilted Tulip. The most defensible defensive framing comes from the related software and techniques: Cobalt Strike, Empire, TDTESS, Matryoshka, PowerShell, Proxy, Rundll32, Code Signing, Archive via Utility, Archive via Custom Method, Hidden Window, and Tool acquisition.

MITRE provides no official detection guidance, no tactics, and no platforms directly on the CopyKittens group object. Related techniques and software include platform information, but those do not prove every CopyKittens intrusion affects those platforms in a given environment. Local telemetry, business exposure, and current threat intelligence are required before making risk, detection coverage, or incident conclusions.

Official MITRE ATT&CK definition

CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1560.003 Archive via Custom Method Sub-technique

CopyKittens encrypts data with a substitute cipher prior to exfiltration.CitationCopyKittens Nov 2015
Enterprise T1560.001 Archive via Utility Sub-technique

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.CitationClearSky Wilted Tulip July 2017
Enterprise T1059.001 PowerShell Sub-technique

CopyKittens has used PowerShell Empire.CitationClearSky Wilted Tulip July 2017
Enterprise T1090 Proxy

CopyKittens has used the AirVPN service for operational activity.CitationMicrosoft POLONIUM June 2022
Enterprise T1218.011 Rundll32 Sub-technique

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.CitationClearSky Wilted Tulip July 2017
Enterprise T1564.003 Hidden Window Sub-technique

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. CitationClearSky Wilted Tulip July 2017
Enterprise T1588.002 Tool Sub-technique

CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities.CitationClearSky and Trend Micro Operation Wilted Tulip July 2017CitationMicrosoft POLONIUM June 2022
Enterprise T1553.002 Code Signing Sub-technique

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.CitationClearSky Wilted Tulip July 2017
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S0167: Matryoshka

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1560.003: Archive via Custom Method Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1090: Proxy Enterprise uses · Malware S0154: Cobalt Strike Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1564.003: Hidden Window Enterprise uses · Tool S0363: Empire Enterprise uses · Technique T1588.002: Tool Enterprise uses · Malware S0164: TDTESS Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Malware S0167: Matryoshka Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.6
Created
Modified
Raw hash
05bdc5a2817020d2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.6 Current bundle 05bdc5a28170…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ClearSky CopyKittens March 2017

    ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017.

    Open source URL
  2. [2]
    ClearSky Wilted Tulip July 2017

    ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.

    Open source URL
  3. [3]
    CopyKittens Nov 2015

    Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.

    Open source URL
  4. [4]
    CopyKittens

    (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)

  5. [5]
    mitre-attack G0052
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use