Cyber Threat Actor: Cobalt Kitten
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
0 incidents |
|---|
Profile
Cobalt Kitten, also tracked as TunnelVision, is an Iranian cyber threat actor primarily engaged in cyber espionage operations. Public reporting associates this group with activities aligned with Iranian state interests, though explicit government links remain formally unconfirmed. The actor demonstrates a consistent focus on targets across the Middle East, with emphasis on government entities, telecommunications providers, and technology sectors. Their operations prioritize intelligence gathering, likely supporting broader strategic or geopolitical objectives rather than financial gain or disruptive attacks.
This group employs spear-phishing as a primary initial access vector, crafting tailored lures to compromise target credentials or deploy malware. Cobalt Kitten has utilized PowerShell-based tools for post-exploitation activities, including reconnaissance and data exfiltration. Public reports link the actor to the use of POWERSTATS, a custom backdoor capable of executing commands, file manipulation, and persistence mechanisms. Their operations exhibit deliberate targeting of organizations holding sensitive political or technical information. One notable campaign attributed to Cobalt Kitten involved sustained intrusions into Middle Eastern telecommunications firms, leveraging compromised credentials and the POWERSTATS malware to extract call detail records and network infrastructure data. The group maintains operational security by frequently modifying infrastructure and employing living-off-the-land techniques to blend with legitimate network traffic.
