Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Ajax Security Team

🌐Ajax Security Team

🌐 Ajax Security Team is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 6 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0130) ↗
14Use cases
0Articles
6Techniques
0IOCs

About this actor (MITRE)

[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)

Known aliases

Ajax Security TeamOperation Woolen-GoldfishAjaxTMRocket KittenFlying KittenOperation Saffron Rose

Top techniques

T1056.001 · KeyloggingT1105 · Ingress Tool TransferT1204.002 · Malicious File

All other tracked techniques

T1555.003 · Credentials from Web BrowsersT1566.001 · Spearphishing AttachmentT1566.003 · Spearphishing via Service

Detection use cases (14)

Ajax Security Team / Rocket Kitten — Saffron Rose macro-doc to LOLBin ingress chain AI · profile SΣ Ajax 'Stealer' browser-credential database exfiltration by non-browser process AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match