Ferocious Kitten
Ferocious Kitten is a covert cyber-espionage threat actor active since at least 2015 that has focused on Persian-speaking targets inside Iran. The group has conducted spearphishing campaigns using malicious documents, typically Microsoft Office files, to lure victims into opening attachments and enabling malicious content. Reported tradecraft includes use of odd decoy messages to persuade victims to enable content, exploitation of CVE-2021-40444, delivery of PowerShortShell, and deployment of a custom implant known as MarkiRAT. Ferocious Kitten has also acquired domains imitating legitimate sites, named malicious files update.exe, and placed them in the victim host's Public folder. The actor has obtained and used open-source tools including JsonCPP and Psiphon. The provided content also associates Ferocious Kitten with UDL-file-based spearphishing attachment activity and with malicious file execution. No additional aliases or sub-groups are identified in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
18 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.
"...later in 2021, the actor was observed exploiting the MSHTML RCE vulnerability CVE-2021-40444 to deliver a PowerShell-based stealer called PowerShortShell..."
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.
Referenced as a threat actor associated with spearphishing attachment activity involving malicious file execution and potential credential capture via UDL files.
Listed as a threat actor associated with the observed use of QEMU and the -nographic flag to install a rogue Linux virtual machine for persistence and initial access.
Listed as a threat actor associated with the malicious file execution technique detected by this analytic.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.