The favored multi-staged attack tool of the CopyKittens, a mid-level group with suspected ties to the Iranian government. While not a group formed by high-end computer and security experts, their code is carefully picked from public repositories and online forums. They are effective and advanced in a few notable ways:

• Attack methods are stealthy, multi-staged

• Data exfiltration is performed over DNS protocol

• Tools are "homemade"

• Constant development of tools helps evade anti-malware detection

MATRYOSHKA was written as a multi-stage framework, with each part of it built to implement its subsequent step.

Anatomy of an Attack:

1. Spear Phishing

Attacks are initiated by sending an infected document file as an email attachment. The attached Microsoft Word document contains the first link in the attack chain: a maliciously crafted OLE binary object.

2. Deployment of Matryoshka, the three part attack framework:


• Obfuscated code evades anti-malware tools

• Signals to command and control (C2) that the dropper payload was executed

• Launches the loader to execute functions on the compromised system

• Scans compromised system for analysis, forensics and detection tools, reports back to C2

Reflective Loader

• Employs anti-debugging and anti-sandboxing techniques before executing

• Abuses Runtime API Address resolver for code injection

• Covert DLL injection of Remote Access Trojan (RAT) libraries

• Creates a Persistence file on disk

Remote Access Trojan (RAT) component

• Configuration of the Reflective Loader to survive reboots and process exits

• DNS Command and Control communication

• Common RAT functionalities—key logging, credential harvesting, data exfiltration...





Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).

Add To Cart