Ferocious Kitten has emerged as a significant cyber-espionage threat targeting Persian-speaking individuals within Iran since at least 2015.
The Iranian-linked advanced persistent threat group operates with a highly focused objective, utilizing politically themed decoy documents to manipulate victims into executing weaponized files.
Over the years, the group developed a sophisticated custom implant known as MarkiRAT, which provides extensive data collection capabilities including keystroke logging, clipboard data capture, screenshot functionality, and credential harvesting with staged data exfiltration through HTTP and HTTPS protocols.
The group’s attack methodology relies on spearphishing campaigns delivering malicious Microsoft Office documents embedded with Visual Basic for Applications macros.
These crafted emails target dissidents, activists, and individuals perceived as threats to the Iranian regime. Once a victim opens a weaponized document, the embedded macros execute with user-level privileges, establishing a system foothold.
The social engineering proves remarkably effective, as bait documents contain anti-regime propaganda that reinforces perceived legitimacy to targets.
Following initial execution, the malware deploys multiple persistence mechanisms.
Picus Security’s security analysts identified that MarkiRAT variants employ sophisticated hijacking techniques implanting the malware alongside legitimate applications.
Certain variants search for Telegram or Chrome installations, copy themselves into application directories, and modify shortcuts to execute the malware before launching the legitimate application.
This technique remains effective because users perceive applications functioning normally after execution.
Defense Evasion and Collection Mechanisms
The malware employs several evasion tactics to circumvent detection and security controls. One technique involves the Right-to-Left Override (RTLO) Unicode trick, which manipulates filename display within file explorers.
By inserting the Unicode character U+202E into executable filenames, attackers make malicious files appear as harmless media files such as images or videos.
A file named “MyVideou202E4pm.exe” displays as “MyVideoexe.mp4” to users, dramatically increasing execution probability among non-technical victims.
MarkiRAT’s collection capabilities represent its core functionality. The implant maintains persistent beaconing threads communicating with command-and-control servers using HTTP POST and GET requests.
The malware systematically records user keystrokes and clipboard contents, then exfiltrates this intelligence to remote servers.
Critically, Picus Security researchers noted that MarkiRAT targets specific credential storage formats including KeePass databases (.kdbx) and PGP key files (.gpg).
The malware terminates KeePass processes before keystroke logging begins, forcing users to re-enter master passwords, thereby capturing authentication credentials.
The group demonstrates adaptive operational security by checking for installed security software such as Kaspersky and Bitdefender.
Ferocious Kitten’s collection-focused methodology and sustained targeting reveal an organization prioritizing intelligence gathering, establishing this group as a persistent and evolving threat to Persian-speaking populations globally.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
