Domestic Kitten – An Inside Look at the Iranian Surveillance Operations

By Check Point Team

February 9, 2021

Despite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not stopped conducting extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.
In this paper, Check Point Research reveals the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical analysis of the FurBall malware used since the beginning of the operation, its origin, and observed covers used to conceal the malware’s true nature.


Check Point researchers recently uncovered the full extent of Domestic Kitten’s  extensive surveillance operation against Iranian citizens that could pose a threat to the stability of the Iranian regime. The operation itself is linked to the Iranian government, and executed by APT-C-50.

Starting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200 individuals with more than 600 successful infections.  It includes 4 currently active campaigns, the most recent of which began in November 2020.

In these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to the malicious application.

The capabilities of the Domestic Kitten malware (which we are calling FurBall), include: collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more. For a full list of commands, see the Technical Analysis section.

Campaigns & Victims

Almost all of the campaigns we observed use the same infrastructure that Domestic Kitten used back in 2018, the C&C hXXp://www[.]firmwaresystemupdate[.]com. We differentiate between campaigns by the URI segment of the C&C server. For example, in the most recent campaign the full C&C address is hXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign for obvious reasons).


Start End
hass November 2020 Currently active
or May 2020 June 2020
mat December 2019 July 2020
hj May 2019 April 2020
oth June 2018 Currently active
hr October 2017 November 2017
maj October 2017 June 2019
mmh July 2017 Currently active
msd June 2017 Currently active


June 2017

September 2019

Figure 1 – Domestic Kitten Campaign list 

FurBall uses a large variety of covers to mask its malicious intentions. A few prominent covers include:

  • VIPRE Mobile Security – A fake mobile security application.
  • ISIS Amaq – A news outlet for the Amaq news agency.
  • Exotic Flowers – A repackaged version of a game from Google Play.
  • MyKet – An Android application store.
  • Iranian Woman Ninja – A wallpaper application.

In the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant “Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google Play.

Figure 2 – FurBall Mohsen ;hass’



Figure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover

A full list of the covers is provided in Appendix 1 – FurBall Covers.

The methods used to deliver FurBall applications to victims also varies from one campaign to another. In some campaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site hosted the payload.  In another campaign, we assume that the application was shared in a Telegram channel.

Figure 4 – The Iranian blog hosting FurBall

We were able to identify victims of the Domestic Kitten operation from various places around the globe, including Iran, the United States, Great Britain, Pakistan, Afghanistan, Turkey, and more.


Figure 5 – Victims distribution by Country

Figure 6 – Successful attacks by date and campaign

We traced 2 unique IPs that connected to the malware’s C&C server. We assume that those IPs are used to send instructions to the server: and According to, both IPs reside in Iran, the first in Tehran, and the second in Karaj.

Figure 7 – IP2Location’s output

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement