VINETHORN
VINETHORN is malware associated with the Iranian threat actor APT42, also referred to in the content as Imperial Kitten. The malware was staged on APT42-controlled infrastructure and masqueraded as a VPN application, indicating delivery through social engineering and fake or impersonating software. The content also states that Imperial Kitten uses spear-phishing with malicious links to deliver VINETHORN and other malware, exploits Android vulnerabilities, and employs cloud-based command-and-control servers. High-confidence context ties VINETHORN to APT42 espionage activity targeting entities of interest to that actor, including US, Israeli, and dissident targets. The provided content does not include specific technical details on VINETHORN’s internal functionality, persistence mechanisms, or indicators of compromise beyond its staging on actor infrastructure and its disguise as a VPN app.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting." / "FIN7 has staged legitimate software, that was trojanized...on Amazon S3." / "TeamTNT has uploaded backdoored Docker images to Docker Hub."
APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.
Initial Access
1 techniqueMultiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”
Stealth
2 techniquesDuring the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
APT42 has masqueraded the VINETHORN payload as a VPN application.
Command and Control
1 techniqueImperial Kitten is described as “using cloud-based C2 servers”; Tortoiseshell “leveraging cloud infrastructure like Azure for C2.”
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used in spear-phishing-led espionage and dissident monitoring operations.
Malware delivered via spear-phishing by Imperial Kitten (APT42) for espionage and surveillance.
A payload staged by APT42 that masquerades as a VPN application and is supported by actor infrastructure used for command-and-control (C2).
A staged payload used by APT42 that masquerades as a VPN application; delivered via actor-controlled infrastructure and used in C2-related activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.