Menu
Browse

Cyber Threat Actor: Cobalt Kitten

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Iran
0 incidents
Profile

Cobalt Kitten, also tracked as TunnelVision, is an Iranian cyber threat actor primarily engaged in cyber espionage operations. Public reporting associates this group with activities aligned with Iranian state interests, though explicit government links remain formally unconfirmed. The actor demonstrates a consistent focus on targets across the Middle East, with emphasis on government entities, telecommunications providers, and technology sectors. Their operations prioritize intelligence gathering, likely supporting broader strategic or geopolitical objectives rather than financial gain or disruptive attacks.

This group employs spear-phishing as a primary initial access vector, crafting tailored lures to compromise target credentials or deploy malware. Cobalt Kitten has utilized PowerShell-based tools for post-exploitation activities, including reconnaissance and data exfiltration. Public reports link the actor to the use of POWERSTATS, a custom backdoor capable of executing commands, file manipulation, and persistence mechanisms. Their operations exhibit deliberate targeting of organizations holding sensitive political or technical information. One notable campaign attributed to Cobalt Kitten involved sustained intrusions into Middle Eastern telecommunications firms, leveraging compromised credentials and the POWERSTATS malware to extract call detail records and network infrastructure data. The group maintains operational security by frequently modifying infrastructure and employing living-off-the-land techniques to blend with legitimate network traffic.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
0 sources