MalwareUsed by 1 actorExploits 1 CVE

Kitty

KiTTY is a malware name used in the provided content for two distinct contexts. First, KiTTY is described as a weaponized PuTTY fork developed and used by the Lazarus group as part of its BLINDINGCAN infection chain. This activity is associated with DPRK-linked operations in 2022, where Lazarus targeted cryptocurrency, fintech, aerospace, defense, and related organizations, primarily via spearphishing and social engineering on platforms such as LinkedIn, WhatsApp, and Slack. The reporting states Lazarus developed or deployed KiTTY alongside MagicRAT, and that Lazarus used BYOVD techniques to deploy BLINDINGCAN and exploited CVE-2022-0609 against cryptocurrency and fintech targets. Second, separate reporting describes a botnet variant named "kitty" by XLab in October 2024 as an updated form of the AISURU botnet that later reappeared as AIRASHI. In that context, kitty was used for large-scale DDoS activity, spread via N-day vulnerabilities, TELNET weak passwords, and reportedly a cnPilot router 0-day, and supported SOCKS5 proxying with 250 proxies and 55 C2 addresses encoded in its string table. XLab reported credentials used by this variant for SOCKS5 proxy authentication: username "jjktkegl" and password "2bd463maabw5." The content also notes an association between CVE-2018-7600 and Kitty in a U.S. government alert, but does not provide further behavioral detail for that reference. Because the supplied content conflates multiple malware/botnet usages of the same name, attribution and functionality should be interpreted carefully by context.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2018-7600Drupalgeddon2Exploited in the wild

CVE-2018-7600 Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 Associated Malware: Kitty Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core. | CVE-2018-7600 Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 Associated Malware: Kitty | CVE-2018-7600 ... Associated Malware: Kitty

via cisa advisoriescisa.gov

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Lazarus

Lazarus recent development of KiTTY, a weaponized PuTTY fork, as part of its BLINDINGCAN infection chain

via sekoia blogblog.sekoia.io

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence2

An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. | CVE-2017-5638 Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 Associated Malware: JexBoss ... CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper ... CVE-2018-7600 Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 Associated Malware: Kitty | Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. | Of the top 10, the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts... CVE-2019-0604 Vulnerable Products: Microsoft SharePoint... CVE-2018-7600 Vulnerable Products: Drupal... CVE-2019-19781 Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP

Execution

2 techniques

T1059.004Unix ShellEvidence1

“The command types still focus primarily on DDoS, with the addition of a reverse shell functionality… cmdtype 0x13 reverse shell… AIRASHI-DDoS… allows arbitrary command execution and reverse shell access… MSG_Type… 12 Reverse Shell.”

T1203Exploitation for Client ExecutionEvidence1

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

Command and Control

1 technique

T1090ProxyEvidence1

“By the end of October, it started using SOCKS5 proxies to communicate with the C2 server… encoded 250 proxies and 55 C2 addresses… The latest sample uses a SOCKS5 proxy (with authentication) to access the C2 server.”

Impact

1 technique

T1498Network Denial of ServiceEvidence1

“XLab observed a premeditated large-scale DDoS attack targeting the distribution platforms… Steam and Perfect World… divided into four waves… sustained attacks lasting several hours… simultaneously targeted hundreds of servers distributed across 13 global regions…”

INDICATORS OF COMPROMISE

IOCs tracked for this family

15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 year ago

hash.sha1●●●●●●●●●●●●View more in app1 year ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

qianxin xlab blogNews

Jan 15, 2025

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

Variant in the AISURU/AIRASHI lineage observed spreading in early October 2024. Implements DDoS and OS command execution; later versions add SOCKS5 proxying (with authentication) to reach C2, embed large proxy/C2 lists, and include reverse shell capability. Uses XOR-based string decoding with a modified key; later samples simplify/disable traffic encryption and use distinctive heartbeat/startup strings (e.g., 'Kitty-Kitty-Kitty', 'cat'/'meow!').

sekoia blogNews

Dec 16, 2022

The DPRK delicate sound of cyber - Sekoia.io Blog

Weaponized PuTTY fork used by Lazarus as part of the BLINDINGCAN infection chain.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching15

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.