Static Kitten New Malicious Activity


Anomali Threat discovered new malicious activities, attributed to the Iranian cyber espionage organization “Static Kitten” (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which mainly targets the Middle East. The new activities use the same as the previous ones. TTP with consistent “Static Kitten” activities. Based on the data in the malicious samples, we found samples disguised as the Kuwaiti government and the UAE National Assembly.

In mid-2020, the UAE and Israel began to normalize relations. Since then, as reported by many news reports, the situation in the region has escalated to a state of tension. The targeting of Kuwait may be related to many factors, including the public statement issued by the Kuwaiti Ministry of Foreign Affairs, They are willing to lead the mediation between Iran and Saudi Arabia. In addition, in October 2020, the trade figures for a peace agreement between Israel and the UAE include an estimate of the creation of 15,000 jobs and an estimated $2 billion in revenue for both parties. In December, it was reported that Static Kitten conducted “Operation Quicksand”, which targeted well-known Israeli organizations, including the use of OneHub file storage services.


Two decoy ZIP files used by Static Kitten to trick users into downloading files related to so-called reports or scholarships on the relationship between Arab countries and Israel. The URLs distributed by these emails redirect the recipients to the target location on Onehub, Onehub It is a known asset used by Static Kitte.

The purpose of Static Kitten is to direct users to a malicious URL through a email that mimics an EXE. The EXE appears to be a report on the relationship between Arab countries and Israel, but after execution it actually initiates the installation process of ScreenConnect.

The second sample used .docx file, which the user attempts to directed to a malicious URL, you will have the same name in the EXE .ZIP downloaded, the installation will start when executed ScreenConnect Infection chain as shown below.

 static kitten infection chain

Bait Document

Static Kitten distributes at least two malicious URLs that deliver two different ZIP files with topics related to government agency employees. These URLs are distributed through emails with decoys and decoy documents. Examples of decoys are as follows As shown in the figure.

 static kitten docx

The .docx file shown in the image above is directed to recipients of government agencies, while highlighting concerns about recent actions in Iran, the impact of the U.S. election, and government entities’ joint research on the relationship between Arab countries and Israel. Multiple officials are mentioned. Institutions, including the General Secretariat of the Cooperation Council of the Arab States of the Gulf and the UAE National Media Council, may be to increase legitimacy.