Ferocious Kitten, a covert cyber-espionage group active since at least 2015, has emerged as a persistent threat to Persian-speaking dissidents and activists within Iran.
The group, known for its careful targeting and evolving tactics, deploys its custom implant “MarkiRAT” to perform keystroke and clipboard logging, screenshot capture, credential theft, and much more, advancing its clandestine surveillance objectives while evading sophisticated defenses.
Ferocious Kitten’s campaigns are marked by the use of politically charged decoy documents tailored to lure victims.
Over the years, the group has honed its initial access method: spearphishing emails carrying malicious Microsoft Office files embedded with macros or MSHTML exploits. When opened, these weaponized attachments drop the malware “MarkiRAT” onto victims’ systems.
Key milestones echo the evolution of the group’s tradecraft:
- 2015-Onward: The earliest confirmed operations involved decoy documents with embedded macros that delivered MarkiRAT to Iranian civil society targets.
- June 2021: Kaspersky exposed their long-running campaign, detailing the malware’s advanced spyware capabilities and political context.
- November 2021: Ferocious Kitten was seen exploiting the MSHTML RCE vulnerability (CVE-2021-40444) to deploy a PowerShell-based stealer PowerShortShell proving its agility in adopting new exploits.
Advanced TTPs: How Ferocious Kitten Works
Typical infection begins with an email attachment crafted both linguistically and contextually for Persian-speaking users.
Documents such as همبستگی عاشقانه با عاشقان آزادی2.doc (“Romantic solidarity with the lovers of freedom 2.doc”) combine regime criticism with embedded macros to deliver malware. These lures not only serve as infection vectors but also double as psychological tools against the regime.
Once triggered, MarkiRAT decodes its payload and plants it in the system’s startup folder for persistent access.
The implant often takes root alongside legitimate applications like Telegram or Chrome, modifying their shortcuts so the RAT launches whenever users open their usual apps a stealthy hijacking technique that reduces user suspicion.
Beyond simple persistence, Ferocious Kitten employs:
- Start Menu Persistence: Copies the RAT as “svehost.exe” to boot on startup.
- App Directory Hijacking: Disguises itself by matching the icons and locations of real apps.
- RTLO Unicode Trick: Uses the right-to-left override to make .exe files look like harmless .jpg or .mp4 files, e.g., “HolidayPicu202Egpj.exe” appears as a JPG to the user.
- BITS Abuse: Leverages the Windows BITS tool for stealthy C2 communication and proxy reconnaissance.
MarkiRAT scans for security software such as Kaspersky or Bitdefender and reports this to its C2, though observed samples continue operations undeterred by their presence. Its deployment of masquerading and lateral movement tactics testifies to sophisticated operator awareness.
Keystroke and Clipboard Logging
One of MarkiRAT’s primary functions is its robust keylogger, suspected due to its internal name “Mark KeyLogGer.” This module logs every keystroke and clipboard operation, exfiltrating the data through encrypted channels.
The malware forcibly closes password managers like KeePass before activating the logger, ensuring it can capture master password entries immediately upon relaunch.
MarkiRAT employs HTTP and HTTPS requests for C2 communication, using GET and POST methods to receive commands and exfiltrate data everything from screenshots and directory listings to files and targeted credential stores (.kdbx, .gpg, etc.).
The implant can execute received instructions, upload or download files, and harvest sensitive artifacts across a broad spectrum of applications.
Security teams seeking to evaluate and harden their controls against Ferocious Kitten and similar APTs can leverage the Picus Security Validation Platform.
Picus simulates real-world attack scenarios including Ferocious Kitten’s methods facilitating detection and prevention tuning. Comprehensive threat libraries and a 14-day free trial make Picus accessible for immediate defense validation against not only Ferocious Kitten but also other prominent APTs.
Ferocious Kitten continues to adapt, combining reliable social engineering with innovative technical abuse.
Its MarkiRAT implant delivers deep surveillance paired with strong persistence and evasion an ongoing threat for activists and organizations within Iran’s digital landscape.
Staying ahead of such threats demands vigilant detection, user training, and continuous validation of security controls using robust simulation platforms like Picus.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.