Ajax Security Team is an Iranian threat actor assessed by FireEye to be based in Iran and linked by multiple firms to Iranian government-backed espionage activity. Known aliases in the provided content include ajaxtm, Flying Kitten, Operation Saffron Rose, Operation Woolen-Goldfish, and Rocket Kitten. The content states that ClearSky, Trend Micro, and FireEye each concluded the Iranian government was likely behind the malware activity rather than unaffiliated individuals, citing the resources and time required to develop the malware. The group’s activity is described as espionage-focused rather than financially motivated or destructive. Reported tradecraft includes targeted spearphishing emails, personalized spearphishing attachments, use of various social media channels for spearphishing, and luring victims into executing malicious files. Follow-on lures included fake Gmail login pages and YouTube pages when initial phishing attempts failed. Once malware was installed, operators remotely accessed and copied victims’ emails, documents, and other communications. Malware and tooling directly associated in the content include Gholee/Wrapper, which downloaded additional malware to infected systems; FireMalv, which collected passwords from Firefox browser storage; and CWoolger and MPK, which recorded keystrokes on infected systems. Trend Micro identified related malware in an Iranian-linked campaign it called Operation Woolen-Goldfish, while FireEye linked the malware to Ajax Security Team.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 malware families attributed to this actor across reporting.
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a named APT group in the context of prior threat research produced by Gadi Evron; no operational details are provided in the content.
Used lures to induce victims to execute malicious files.
Actor observed using satellite-based Internet links / satellite IP ranges for command-and-control infrastructure.
Named APT group observed using satellite-based Internet links/IP space for command-and-control infrastructure.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.