Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
Iran

Nemesis Kitten

Also known asnemesis_kitten

Nemesis Kitten is an Iranian threat actor / intrusion set associated with the APT35 cluster. The content states it is operated by the private companies Afkar System and Najee Technologies, which the U.S. Treasury assessed were contracted by the IRGC-IO, making it an Iranian nation-state-linked actor. The actor is also referred to in the content as TunnelVision and Cobalt Mirage, and one report describes TunnelVision as an Iranian-aligned cluster with attribution overlap or confusion involving Charming Kitten and Nemesis Kitten. The content also notes a late-2022 report describing Nemesis Kitten as an Iranian nation-state sub-cluster that used GitHub to deliver a backdoor called Drokbk. Across the provided material, Nemesis Kitten is linked to exploitation of widely known vulnerabilities and to ransomware- and espionage-related activity. One strategic report states Nemesis Kitten has been linked to lucrative cyber operations including ransomware and crypto-mining. Another mention describes Nemesis Kitten as engaging in ransomware attacks disguised as hacktivism, including exfiltrating data before encryption and leaking stolen data. The content also places Nemesis Kitten among Iranian intrusion sets that target sectors such as energy, telecommunications, maritime transportation, critical infrastructure, and individuals in NGOs, think tanks, and academia, although the content does not provide a Nemesis-Kitten-specific victimology breakdown beyond those broader Iran-nexus trends. The content further associates overlapping or related activity with use of GitHub and other public services, and with exploitation of 1-day vulnerabilities. In the TunnelVision reporting, the cluster operated in the Middle East and the U.S., exploited Fortinet FortiOS CVE-2018-13379, Microsoft Exchange ProxyShell, Log4Shell, and VMware Horizon Log4j vulnerabilities, and used PowerShell, reverse shells, credential harvesting, lateral movement, backdoors, backdoor-user creation, and tunneling tools such as FRPC, Plink, and Ngrok. TunnelVision also used legitimate services including transfer.sh, pastebin.com, webhook.site, ufile.io, raw.githubusercontent.com, and a GitHub repository to support operations. However, the content explicitly frames TunnelVision as a separate tracking name used because of attribution overlap with Microsoft Phosphorus and vendor naming overlap involving Charming Kitten and Nemesis Kitten. The content also states Nemesis Kitten was among the more commonly observed threat actors exploiting top routinely exploited vulnerabilities in 2022, and that its TTPs overlap with other established Iranian APTs such as Tortoiseshell and Charming Kitten.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
2 techniques
T1133
External Remote Services
T1190×2
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0003
Persistence
1 technique
T1133
External Remote Services
TA0011
Command and Control
1 technique
T1090
Proxy
T1090.003
Multi-hop Proxy
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
polyswarmNews
Mar 6, 2026
Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks

Suspected IRGC-affiliated ransomware operator using hacktivist branding and psychological operations; employs data theft + encryption + leak (double extortion) to undermine confidence in critical infrastructure.

Read more
rescana blogNews
Feb 1, 2026
RedKitten APT Targets Microsoft Excel Vulnerabilities in Cyber-Espionage Campaign Against Iranian Human Rights NGOs and Activists

Referenced as an established Iranian APT with TTP overlap to RedKitten; mentioned in references in connection with the Drokbk backdoor (not described in-body).

Read more
the hacker newsNews
Jan 31, 2026
Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

Iranian nation-state group referenced for prior use of GitHub as a delivery conduit for a backdoor (Drokbk), providing precedent for the GitHub dead-drop technique.

Read more
vulncheck blogNews
Aug 9, 2023
Insight into the 2022 Top Routinely Exploited Vulnerabilities

Nemesis Kitten is a threat actor group that exploited several of the top twelve most exploited vulnerabilities in 2022, focusing on opportunistic attacks against unpatched systems.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.