Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0130: Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

EnterpriseG0130GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Ajax Security Team matters because ATT&CK links the group to a shift from website defacement toward malware-based cyber espionage, with reported targeting of the US defense industrial base and Iranian users of anti-censorship technologies. For leaders, the practical issue is not the name of the actor alone, but whether the organization can withstand phishing-led access, credential theft from users and browsers, keylogging, tool transfer, and exploitation of SQL injection tooling associated through ATT&CK relationships.

Executive priority

Prioritize this as a validation case for phishing resilience, identity protection, endpoint visibility, web application security, and incident response readiness. The object has no official ATT&CK detection guidance and no group-level platform or tactic fields, so executives should ask whether existing controls produce evidence across the related behaviors: spearphishing attachments or services, malicious file execution, credential collection, ingress tool transfer, and SQL injection tool activity. This is especially relevant where defense industrial base exposure, sensitive user populations, or externally facing web applications are business-critical.

Technical view

SOC and IR teams should use the ATT&CK relationships as the defensive map: T1566.001 and T1566.003 for initial-access phishing paths, T1204.002 for user-driven malicious file execution, T1056.001 and T1555.003 for credential collection, T1105 for inbound tool transfer, and S0224/S0225 for SQL injection tooling context. Because the group object itself provides no official detection text, coverage should be proven through local telemetry, alert logic, and incident playbooks rather than assumed from actor naming. Validate whether detections connect email or service-delivered lures to endpoint execution, credential access attempts, and subsequent file/tool transfers.

Likely telemetry

  • Email security logs for attachments, sender metadata, delivery disposition, and user interaction where available
  • Third-party messaging or collaboration service audit logs relevant to spearphishing via service
  • Endpoint process, file creation, script execution, and child-process telemetry for malicious file execution
  • Browser credential store access indicators and endpoint file access telemetry where collected
  • Keystroke-capture or suspicious input-monitoring indicators from endpoint security tools

Detection direction

  • Do not rely on actor-name detections; build behavior-based coverage around the related ATT&CK techniques and software.
  • Tune phishing detections for both enterprise email and third-party services, since ATT&CK lists spearphishing attachment and spearphishing via service relationships.
  • Correlate user-opened files with endpoint execution and follow-on credential access or network transfer activity to reduce isolated false positives.
  • Validate visibility into browser credential access and keylogging-like behavior, which may be noisy or dependent on endpoint sensor depth.
  • Review web application monitoring for SQL injection tooling such as Havij and sqlmap, while accounting for legitimate penetration testing activity as a false-positive source.

Mitigation priorities

  • Strengthen phishing controls and user reporting workflows for attachments and messages delivered through third-party services.
  • Harden endpoint execution policy and attachment handling to reduce user-driven malicious file execution risk.
  • Protect credentials with least privilege, multi-factor authentication where applicable, and controls that reduce stored browser credential exposure.
  • Ensure endpoint monitoring and response processes can investigate suspected keylogging or credential theft behavior.
  • Control and monitor inbound file/tool transfer paths through proxy, firewall, EDR, and network logging.
Analyst notes and limits

ATT&CK describes Ajax Security Team as active since at least 2010 and believed to operate out of Iran, with a reported transition by 2014 from defacement to malware-based espionage campaigns. Relationships supplied for this object include Havij, sqlmap, keylogging, ingress tool transfer, malicious file execution, browser credential theft, and spearphishing via attachment or service. Several aliases and campaign names are listed, but the external references also indicate ambiguity or potential relationships among naming clusters, so reporting should preserve source context.

The group object provides no official detection text, no group-level platforms, and no group-level tactics. The guidance above is derived only from supplied ATT&CK description, external references, and relationships; it does not establish current activity, customer exposure, attribution certainty, or detection coverage in any environment. Local telemetry, business exposure, and authorized testing records are required to determine relevance and priority.

Official MITRE ATT&CK definition

Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1056.001 Keylogging Sub-technique

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.CitationCheck Point Rocket Kitten
Enterprise T1566.003 Spearphishing via Service Sub-technique

Ajax Security Team has used various social media channels to spearphish victims.CitationFireEye Operation Saffron Rose 2013
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Ajax Security Team has used personalized spearphishing attachments.CitationCheck Point Rocket Kitten
Enterprise T1204.002 Malicious File Sub-technique

Ajax Security Team has lured victims into executing malicious files.CitationFireEye Operation Saffron Rose 2013
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.CitationCheck Point Rocket Kitten
Enterprise T1105 Ingress Tool Transfer

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.CitationCheck Point Rocket Kitten
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0225: sqlmap

sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [1]

Tool Enterprise

S0224: Havij

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [1]

Relationship explorer

All related ATT&CK context

uses · Tool S0225: sqlmap Enterprise uses · Tool S0224: Havij Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1566.003: Spearphishing via Service Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
33e1685a737a7bd4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 33e1685a737a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye Operation Saffron Rose 2013

    Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.

    Open source URL
  2. [2]
    AjaxTM

    (Citation: FireEye Operation Saffron Rose 2013)

  3. [3]
    Check Point Rocket Kitten

    Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.

    Open source URL
  4. [4]
    CrowdStrike Flying Kitten

    Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.

    Open source URL
  5. [5]
    Flying Kitten

    (Citation: CrowdStrike Flying Kitten )

  6. [6]
    IranThreats Kittens Dec 2017

    Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.

    Open source URL
  7. [7]
    Operation Saffron Rose

    (Citation: FireEye Operation Saffron Rose 2013)

  8. [8]
    Operation Woolen-Goldfish

    Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015)

  9. [9]
    Rocket Kitten

    Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017)

  10. [10]
    TrendMicro Operation Woolen Goldfish March 2015

    Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.

    Open source URL
  11. [11]
    mitre-attack G0130
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use