MalwareUsed by 1 actor

kitty-monitor

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TeamPCP

Both run a backdoor called kitty-monitor, which polls GitHub’s commit search every hour for signed remote commands.

via cyberscoopcyberscoop.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques

T1053Scheduled Task/JobEvidence1

The monitor polls GitHub commit search for signed instructions and can download and execute follow-on Python payloads.

T1059Command and Scripting InterpreterEvidence1

Both run a backdoor called kitty-monitor, which polls GitHub’s commit search every hour for signed remote commands.

T1059.006PythonEvidence1

The monitor polls GitHub commit search for signed instructions and can download and execute follow-on Python payloads.

Persistence

5 techniques

T1053Scheduled Task/JobEvidence1

The monitor polls GitHub commit search for signed instructions and can download and execute follow-on Python payloads.

T1543Create or Modify System ProcessEvidence1

The payload also installs OS-level background services: a systemd user service on Linux, a LaunchAgent on macOS.

T1543.001Launch AgentEvidence1

on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

T1543.002Systemd ServiceEvidence2

On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service

T1547.015Login ItemsEvidence1

On macOS, unload gh-token-monitor with launchctl bootout ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ... On macOS, unload kitty-monitor ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist

Privilege Escalation

5 techniques

T1053Scheduled Task/JobEvidence1

The monitor polls GitHub commit search for signed instructions and can download and execute follow-on Python payloads.

T1543Create or Modify System ProcessEvidence1

The payload also installs OS-level background services: a systemd user service on Linux, a LaunchAgent on macOS.

T1543.001Launch AgentEvidence1

on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

T1543.002Systemd ServiceEvidence2

On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service

T1547.015Login ItemsEvidence1

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence2

The May 19 wave also adds kitty-monitor , a persistent GitHub commit-search C2 daemon. It polls GitHub commit search for the keyword firedalazer , validates commands with an embedded RSA public key, downloads the referenced payload, and executes it as Python.

T1102.001Dead Drop ResolverEvidence4

One of the clearest examples is the GitHub-based “dead drop” tasking method... queried GitHub’s commit search API once per hour for the marker string firedalazer.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyberscoopNews

May 19, 2026

Mini Shai-Hulud returns, compromising hundreds of npm packages | CyberScoop

A persistent backdoor component installed as an OS-level background service on Linux and macOS that polls GitHub commit search for signed remote commands.

jfrog researchNews

May 19, 2026

Shai-Hulud Returns: npm Worm hits @antv in latest ongoing campaign - JFrog Security Research

Persistent GitHub commit-search C2 daemon used by the Shai-Hulud campaign. It survives token rotation by polling GitHub for signed commands, downloading referenced payloads, and executing them.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.