Threat Intelligence, Incident Response, TDR

Supposed mastermind behind ‘Rocket Kitten’ APT identified in research paper

More than a year after first being spotted, the cyberespionage group Rocket Kitten and its primary malware creator are being unmasked.

Check Point Software Technologies published the findings of its independent investigation into the group on Monday and claims it's identified the man behind the entire scheme.

Also of particular note, said Shahar Tal, malware and vulnerability researcher at Check Point, in an interview with, is the unearthing of Rocket Kitten's entire target list. At least 1,600 people and entities have been targeted over the past two years, Tal said.

Tal and others accessed the database after conducting a web probe by making scripted GET requests, going off prior research from other groups. This ultimately yielded a password-less, root access to the group's apparent server.

Check Point researchers' hunt yielded a supposed experimental messaging system, template codes for phishing pages, and, ultimately, a “projects” table, which appears to document the group's efforts, both successful and unsuccessful.

“When we started looking through the database, we were really shocked to find [what] malware researchers dream of finding one day, and this was every single victim including successful victims, passwords that people have entered, [and] including a lot of data that was stolen,” Tal said. “Once we realized we were in possession of that, we realized we were on to something big. We started looking into more technical evidence, which we actually found.”

The researchers uncovered more thorough indicators of compromise, along with new malware strains, including a Remote Access Trojan (RAT) the group apparently favored.

Further down the Rocket Kitten rabbit hole, the researchers appeared to identify the mastermind behind the operation, who goes by “Wool3n.H4t,” as Yaser Balaghi.

The company found references to his alias and real name on various developer forums, within the server itself, and eventually, in an online tutorial he posted on SQL injection.

Additionally, a reported resume for Balaghi has listed “designing a phishing system” as ordered by a “cyber-organization.”

Saying technical evidence can be forged, or information be planted, Tal said he backs his company's findings because of “overwhelming evidence.”

“All evidence fits the same story and same narrative,” he said. “The probability that this is a false lead is extremely nonexistent in my opinion.”

Given that Balaghi resides in Iran, there will likely not be any repercussions or extradition. However, Tal said the findings have been passed along to European and U.S. search bodies, as well as service providers who hosted the malicious servers.

Most infrastructure has been taken down since then, Tal said, and continued, “don't expect to see them attacking any time soon.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.