Ferocious Kitten: Persistent Iranian Cyberespionage
- Suspected Origin
- Iran
- Motivation
- Espionage, Information Theft, Cyber-surveillance
- Aliases
- None documented
- Target Sectors
- Persian-speaking individuals, Dissidents, Activists
- Associated Malware
- MarkiRAT, PowerShortShell, Psiphon
Overview
Ferocious Kitten, tracked by MITRE ATT&CK as G0137, is a sophisticated and persistent advanced persistent threat (APT) group that has been actively conducting cyberespionage operations since at least 2015. This group primarily targets Persian-speaking individuals within Iran, focusing on intelligence gathering, information theft, and domestic cyber-surveillance. For many years, Ferocious Kitten operated largely under the radar, with its activities only coming to broader public attention around 2021 when researchers began to publish findings on its long-running campaigns.
Attribution efforts consistently point to an Iranian origin for Ferocious Kitten, with strong indications of ties to state-aligned intelligence or domestic security apparatuses. Their victimology, which often includes dissidents, activists, and other politically sensitive individuals, further supports this assessment. Analysis of Ferocious Kitten’s tactics, techniques, and procedures (TTPs), as well as their choice of targets, reveals similarities with other Iranian threat groups such as Domestic Kitten and Rampant Kitten. This suggests that Ferocious Kitten operates within a broader ecosystem of surveillance campaigns orchestrated from Iran.
Tactics & Techniques
Ferocious Kitten employs a range of social engineering tactics and technical procedures to compromise its targets. Initial access often begins with highly tailored spear-phishing campaigns. These campaigns typically involve weaponized documents containing malicious macros, often disguised as politically themed content such as images or videos depicting protests against the Iranian regime or footage from resistance camps. The group craftily attempts to convince victims to enable malicious content within these documents, a crucial step for payload delivery.
For defense evasion, Ferocious Kitten has been observed using clever tricks, including the right-to-left override (RTLO) character. This technique reverses portions of executable filenames, making them appear to have benign extensions like .jpg or .mp4 instead of their true .exe type, thereby tricking users into executing them. They have also registered domains imitating legitimate popular services in Iran to appear credible, which aids in command and control (C2) and phishing efforts.
Persistence is a key focus for Ferocious Kitten. They achieve this by hijacking the execution flow of legitimate applications, most notably Telegram and Google Chrome. This involves modifying application shortcuts or the execution process to launch their malware whenever the legitimate application is started. Malicious files are also sometimes placed in publicly accessible folders, such as C:\Users\Public\, to facilitate re-execution by any user on the compromised system.
Their command and control infrastructure often reuses the same C2 domains over long periods, sometimes exhibiting consistent URL patterns. Investigations have shown that Ferocious Kitten utilizes Iranian hosting services for parts of its C2 infrastructure. Once a system is compromised, the group’s primary objective is data collection. Their malware is designed for comprehensive surveillance, including keystroke logging, capturing clipboard content, and facilitating arbitrary command execution and file transfer capabilities. They have also reportedly attempted to extract information from password managers like KeePass. In a demonstration of evolving capabilities, Ferocious Kitten exploited the Microsoft MSHTML remote code execution vulnerability (CVE-2021-40444) via spear-phishing documents in late 2021.
Notable Campaigns
Ferocious Kitten’s operations have been characterized by their longevity and covert nature. The group maintained a low profile for approximately six years, conducting cyberespionage campaigns against Iranian targets without significant public disclosure. It was only in March 2021, when a suspicious lure document was uploaded to VirusTotal, that security researchers, particularly Kaspersky, began to extensively investigate and expose the group’s activities.
The campaigns consistently leverage politically charged decoy content to ensnare targets, often dissidents or individuals involved in protest movements within Iran. This strategic use of social engineering against a specific demographic highlights a calculated approach to victim selection. While primarily focused on Windows-based systems, there has been evidence suggesting the group has also developed malicious implants for Android devices, although specific samples for analysis have not been publicly obtained.
A significant campaign observed in November 2021 involved Ferocious Kitten exploiting CVE-2021-40444. This was a notable shift, indicating their adoption of new vulnerabilities for initial access and payload delivery. This campaign delivered a PowerShell stealer named PowerShortShell, showcasing their adaptability in toolsets.
Associated Malware & Tools
Ferocious Kitten relies on a combination of custom-developed malware and legitimate or open-source tools to achieve its objectives:
-
MarkiRAT: This is Ferocious Kitten’s primary custom remote access Trojan (RAT). MarkiRAT is highly capable, designed to record keystrokes, capture clipboard content, facilitate arbitrary command execution on infected machines, and enable file upload and download capabilities. Notably, variants of MarkiRAT have been specifically engineered to achieve persistence by hijacking the execution of popular applications like Telegram and Google Chrome.
-
PowerShortShell: Discovered in late 2021, PowerShortShell is a PowerShell-based stealer used by Ferocious Kitten, particularly in campaigns leveraging the CVE-2021-40444 vulnerability. This indicates the group’s willingness to diversify its toolset for specific exploitation opportunities.
-
Open-source Tools: Ferocious Kitten has incorporated legitimate open-source tools into its operational toolkit. These include
JsonCPP, a C++ library for JSON manipulation, andPsiphon, an open-source VPN tool often used to bypass internet censorship. The abuse of Psiphon, a tool intended for privacy and freedom, is particularly cynical given the group’s surveillance objectives against individuals likely seeking similar freedoms.
Current Status
Ferocious Kitten remains an active and persistent threat actor. Despite their long history of covert operations, public reporting in 2021 confirmed their continued activity, with researchers from Kaspersky noting that the group was “still very much active” and potentially in the process of modifying their tactics, techniques, and procedures. The observed exploitation of CVE-2021-40444 in November 2021 further validates their ongoing operations and adaptation following increased scrutiny.
The group’s operational model—long periods of covert activity, consistent targeting of specific demographics, and the ability to evolve their TTPs and toolsets—suggests that Ferocious Kitten will likely continue its cyberespionage and surveillance efforts against Persian-speaking individuals in Iran. Organizations and individuals operating within or connected to Iran should maintain vigilance against spear-phishing attempts and be aware of the TTPs associated with Ferocious Kitten and similar Iranian threat actors.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call