A new platform known as the “kitten” project has emerged as a coordination hub for hacktivist campaigns targeting Israel, operating at the intersection of cyber activism and state-aligned influence.
While the operators publicly deny direct ties to Iran, technical evidence and infrastructure traces indicate a close relationship with an Iranian cybersecurity ecosystem and pro-Iranian hacktivist groups.
The “kitten” project functions as a semi‑private environment where select hacktivist actors can upload files, enter private chat rooms, and organize information operations.
For now, access and amplification appear limited to three main hacktivist groups: the well‑known “Handala Hacking Group” and the lesser‑known but operationally important “KilledByIsrael” and “CyberIsnaadFront”.
Together, these groups have been involved in doxing operations, the exposure of personal data of Israeli soldiers and civilians, and attempts to compromise industrial systems, including ICS and PLC environments.
Operation Kitten
Publicly, the operators behind “kitten” insist they are not based in Iran and downplay any direct Iranian affiliation, framing themselves instead as independent actors supporting offensive operations against Israel.
However, this narrative begins to unravel when the project’s early technical footprint is examined.
Before acquiring the public domain thekitten[.]group, a “demo” instance of the platform was hosted on a subdomain of the Iranian portal zagrosguard.ir, exposing a development path that runs through clearly Iranian infrastructure.
A legitimate Iranian IP address associated with this subdomain links the project to a broader Iranian cybersecurity network.
That network appears to be fronted by “Zagros”, a service that markets itself in Farsi as a domestic product enabling unrestricted access to “authorized or sensitive” systems via Iranian IP addresses.
According to its own description, Zagros is designed for programmers, gamers, students and professionals who need to access financial markets and other sensitive platforms without using foreign VPNs, ostensibly to reduce data leakage from services that require Iranian IP addresses.
Yet, despite presenting itself as a substantial commercial platform, Zagros shows no verifiable corporate registrations or typical indicators of a mature technology company.
Investigators describe it instead as a landing page crafted to impersonate a legitimate service while quietly enabling activity that “violates Iranian sanctions”.
Hacktivist Groups Involved
From this starting point, the hacktivist dimension becomes clearer: the same infrastructure that promises secure Iranian IP‑based access is also being used to incubate and deploy politically motivated cyber operations.
A closer review of the HTML code behind the early “kitten” instances confirms that the platform was fully pre‑developed within a Zagros subdomain before being migrated to its current domain.
Contact details embedded in the code lead to phone numbers later traced to a Turkish virtual operator, suggesting an effort to mask the actual location of the operators while maintaining regional proximity.
When one of the listed numbers was checked against Telegram, it resolved to a channel associated with the organization, reinforcing the link between the public front and the operational back end.
Additional traces show recruitment‑style postings in Farsi seeking programmers, security testers and related profiles, indicating that the organization is actively building technical capacity.
At the same time, an examination of an exposed backup of the “admin” panel, including .htaccess rules and an API‑driven backend, revealed a structured architecture for managing media, projects and content.
PHP scripts such as image.php, list.php and media.php handle controlled access to images and videos stored in directories tellingly named “pro_iran_projects”, further underscoring the ideological and geopolitical orientation of the platform.
Taken together, these elements portray the “kitten” project not as a spontaneous grassroots hacktivist space, but as a technically sophisticated, Iran‑linked infrastructure node.
It provides coordination, operational security and narrative amplification for hacktivist collectives engaged in sustained campaigns against Israeli targets, blurring the lines between patriotic hacking, deniable proxy activity and state‑aligned cyber operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.