Domestic Kitten – An Inside Look at the Iranian Surveillance Operations

February 8, 2021


Despite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not stopped conducting extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.
In this paper, Check Point Research reveals the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical analysis of the FurBall malware used since the beginning of the operation, its origin, and observed covers used to conceal the malware’s true nature.


Check Point researchers recently uncovered the full extent of Domestic Kitten’s  extensive surveillance operation against Iranian citizens that could pose a threat to the stability of the Iranian regime. The operation itself is linked to the Iranian government, and executed by APT-C-50.
Starting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200 individuals with more than 600 successful infections.  It includes 4 currently active campaigns, the most recent of which began in November 2020.
In these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to the malicious application.
The capabilities of the Domestic Kitten malware (which we are calling FurBall), include: collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more. For a full list of commands, see the Technical Analysis section.

Campaigns & Victims

Almost all of the campaigns we observed use the same infrastructure that Domestic Kitten used back in 2018, the C&C hXXp://www[.]firmwaresystemupdate[.]com. We differentiate between campaigns by the URI segment of the C&C server. For example, in the most recent campaign the full C&C address is hXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign for obvious reasons).


Start End
hass November 2020 Currently active
or May 2020 June 2020
mat December 2019 July 2020
hj May 2019 April 2020
oth June 2018 Currently active
hr October 2017 November 2017
maj October 2017 June 2019
mmh July 2017 Currently active
msd June 2017 Currently active


June 2017

September 2019

Figure 1 – Domestic Kitten Campaign list


FurBall uses a large variety of covers to mask its malicious intentions. A few prominent covers include:

  • VIPRE Mobile Security – A fake mobile security application.
  • ISIS Amaq – A news outlet for the Amaq news agency.
  • Exotic Flowers – A repackaged version of a game from Google Play.
  • MyKet – An Android application store.
  • Iranian Woman Ninja – A wallpaper application.

In the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant “Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google Play.

Figure 2 – FurBall Mohsen ;hass’



Figure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover

A full list of the covers is provided in Appendix 1 – FurBall Covers.

The methods used to deliver FurBall applications to victims also varies from one campaign to another. In some campaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site hosted the payload.  In another campaign, we assume that the application was shared in a Telegram channel.

Figure 4 – The Iranian blog hosting FurBall

We were able to identify victims of the Domestic Kitten operation from various places around the globe, including Iran, the United States, Great Britain, Pakistan, Afghanistan, Turkey, and more.


Figure 5 – Victims distribution by Country

Figure 6 – Successful attacks by date and campaign

We traced 2 unique IPs that connected to the malware’s C&C server. We assume that those IPs are used to send instructions to the server: and According to, both IPs reside in Iran, the first in Tehran, and the second in Karaj.

Figure 7 – IP2Location’s output

FurBall – Technical Analysis

Upon execution, the first thing Furball does is to allow execution of the application on the device startup. To achieve this, FurBall starts its code on a receiver that listens for the BOOT_COMPLETED event, which in turn calls to the ‘startService’ method to initiate everything that is needed for the malware’s functionality.

Figure 8 – BOOT_COMPLETED receiver


Figure 9 – The startService method

In addition, this piece of code also initializes a ‘settings’ object, which contains the configuration for FurBall: which C&C to connect to, another back-up C&C address, flags to allow functionality, frequency for C&C pulling commands, and more.

Figure 10 – FurBall configuration

After initialization, FurBall creates 3 threads.

The first periodically sends media files such as videos, photos, and call records to the server, with a default frequency of every 20 seconds. The remaining 2 threads are keep-alive threads that communicate with <C&C Address>/<campaign>/answer.php. We assume this allows the threat actors to see which devices are currently active.

The next step for FurBall is to initialize the Command Manager. This component pulls commands from the C&C by requesting the <C&C>/<campaign>/get-function.php and awaits commands. Each command is delimited by the “===”string, and the arguments are delimited by the “~~~” string.

Command Action
NoCommand No command.
Time Gets device local time.
Set Sets a configuration parameter given as the first argument, to a specific value given as the second argument.
Get Gets data given as an argument from the infected device. The list below includes all possible Get arguments.
Get~~~AllLog Gets log files
Get~~~AllNotif Gets all notifications
Get~~~AllContact Gets all contacts.
Get~~~AllFile Gets the names of all files on the device from the SD card root.
Get~~~AllSms Gets all SMS.
Get~~~AllCall Gets call logs.
Get~~~AllApp Gets a list of all installed applications on the device.
Get~~~AllBrowser Gest all browsing history.
Get~~~AllAccount Gest a list of all user accounts stored on the device.
Get~~~AllSettings Gets the settings for FurBall.
Get~~~Location Gets the current location of the device.
Get~~~HardwareInfo Gets hardware information on the device.
Get~~~File Gets a specific file and upload it to <C&C>/<campaign>/upload-file.php
Take Allows the actor to perform actions on the device itself. The list below shows all possible arguments for the Take command.
Take~~~Audio Starts audio recording with the microphone for a given amount of time.
Take~~~Video Starts a video recording using camera ID specified as a parameter for a given amount of time.
Take~~RecordCall Starts recording calls from this point on.
Delete~~~SMS Deletes all SMS from the “HiddenNumber” parameter in the configuration.
Delete~~~Call Deletes all calls from the “HiddenNumber” parameter in the configuration.
Delete~~~File Deletes files from provided paths.
Reset~~~AllCommand Deletes all logs and media files, resets to a “default” configuration.

Figure 11 – FurBall possible commands

Figure 12 – the Command Manager listening for commands

Figure 13 – Command Manager parsing commands

After all initializations, it’s time to start collecting the initial data on the device. FurBall collects the following data on startup:

  • Hardware Information
  • Contacts
  • Call logs
  • Accounts
  • Browser history
  • File list on the SD card



Figure 14 – the sendStartup method


After collecting initial data on the device, FurBall initialize two other components. The first one is a clipboard monitor which monitors the clipboard content (where data is stored when it’s “copied”), and the other collects info about the top-most application’s activity.

Figure 15 – Clipboard monitor

Figure 16 – Top-most application monitor

The last significant component that is used by FurBall is the Notification Observer Service, a service that is based on the NotificationListenerService and allows FurBall to access all notifications received by the device.

Figure 17 – NotificationObserverService

While investigating the new version of Domestic Kitten’s FurBall, we noticed that FurBall is actually based on a commercially available parental control software called KidLogger . As FurBall shares a lot of infrastructure code with KidLogger, it seems that the developers used the KidLogger source-code available on github.

A few noticeable differences between KidLogger and FurBall:

  • FurBall has a configuration update mechanism that is not present in KidLogger.
  • FurBall is based on plain threads, while KidLogger is based on services.

Figure 18 – Code similarity between FurBall and KidLogger


We were able to mimic the command and control server’s behavior and provide a potential use-case against a fictional target.


How to protect yourself

Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Learn more.


Appendix 1 – FurBall Covers:

Package name Cover
com.intense.pub1.sbgs Islamic Caliphate
com.clem.isisnews ISIS News Watch
com.majorityapps.exoticflowers Repacked “Exotic Flowers” from Google Play.
com.ssd.vipre Fake security product
com.apps.amaq Amaq News Agency Application Persian poems Persian poems
com.nidayehaq Religious application Ramadan Pictures
ir.hukmi.moanzalalloh “Judgment by what Alla has revealed” “Omar Farouq”
com.hamgaam.shahnamef “The Book of Kings”
ir.korosh.kabir “Cyrus the Great”
ir.hawijapp.myhafez Persian poems
com.kabood.koroshkabir “Cyrus the Great”
com.andriod.browser Fake “mobile secured browser” Application market for Android
com.mohsen Mohsen restaurant mimic

Appendix 2 – IOCs:








  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks