Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Iran2 malware familiesExploits CVEs in the wild

Ferocious Kitten

Also known asFerocious Kitten

Ferocious Kitten is a covert cyber-espionage threat actor active since at least 2015 that has focused on Persian-speaking targets inside Iran. The group has conducted spearphishing campaigns using malicious documents, typically Microsoft Office files, to lure victims into opening attachments and enabling malicious content. Reported tradecraft includes use of odd decoy messages to persuade victims to enable content, exploitation of CVE-2021-40444, delivery of PowerShortShell, and deployment of a custom implant known as MarkiRAT. Ferocious Kitten has also acquired domains imitating legitimate sites, named malicious files update.exe, and placed them in the victim host's Public folder. The actor has obtained and used open-source tools including JsonCPP and Psiphon. The provided content also associates Ferocious Kitten with UDL-file-based spearphishing attachment activity and with malicious file execution. No additional aliases or sub-groups are identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

MITRE ATT&CK

Tradecraft

18 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics24 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.001×2
Domains
T1588
Obtain Capabilities
T1588.002×5
Tool
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×28
Spearphishing Attachment
T1566.002×4
Spearphishing Link
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1059.007
JavaScript
T1204
User Execution
T1204.001
Malicious Link
T1204.002×12
Malicious File
TA0005
Stealth
3 techniques
T1036×2
Masquerading
T1036.002×3
Right-to-Left Override
T1036.005×3
Match Legitimate Resource Name or Location
T1036.008
Masquerade File Type
T1218
System Binary Proxy Execution
T1218.011
Rundll32
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
TA0007
Discovery
1 technique
T1087
Account Discovery
T1087.002
Domain Account
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping18

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.