Skip to content

G0130 Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.1

Item Value
ID G0130
Associated Names Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose
Version 1.0
Created 14 April 2021
Last Modified 17 December 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Woolen-Goldfish Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.23
AjaxTM 1
Rocket Kitten Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.24
Flying Kitten 5
Operation Saffron Rose 1

Techniques Used

Domain ID Name Use
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.2
enterprise T1105 Ingress Tool Transfer Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Ajax Security Team has used personalized spearphishing attachments.2
enterprise T1566.003 Spearphishing via Service Ajax Security Team has used various social media channels to spearphish victims.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Ajax Security Team has lured victims into executing malicious files.1

Software

ID Name References Techniques
S0224 Havij 2 Exploit Public-Facing Application
S0225 sqlmap 2 Exploit Public-Facing Application

References