Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.

The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload.

The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran. 

Ferocious Kitten stayed under the radar for at least six years until Kaspersky researchers flagged a pair of maliciously rigged Microsoft Word .docs that were uploaded to Google’s VirusTotal malware scanning utility. 

One of the documents was booby-trapped with a malware called ‘MarkiRAT’ that Kaspersky says is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine. 

“We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method,” Kaspersky said in a paper posted on its SecureList website.

The company said it observed code overlap with different cyber-surveillance operators targeting Persian-speaking individuals in Iran.  Specifically, Kaspersky said some of the TTPs used by Ferocious Kitten are reminiscent of an Iran-based actor called Domestic Kitten that targets Iranian citizens.

In a technical analysis, Kasperky said it found several variants of the MarkiRAT malware, including one that was used to intercept the execution and piggy-back on the launching the widely deployed Telegram chat application.

A separate variant was also seen targeting Google’s Chrome browser, using the BITS utility and code to modify the Chrome shortcut to launch the malware whenever the victim runs the Chrome browser.

Kaspersky also documented a pair of domains within the Ferocious Kittle command-and-control infrastructure that suggests the use of Android implants in the cyber-espionage attacks.  The company said it was unable to find a sample of the Android implant. 

“The attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the malicious websites used subdomains impersonating popular services in Iran to appear legitimate,” Kaspersky said, noting that a subset of the attacks even targeted the Psiphon open-source VPN tool that is used by Iranians to bypass internet censorship.

“The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users,” Kaspersky said, noting that that decoy contents displayed by the malicious files often used political themes and involved images or videos of resistance bases or strikes against the Iranian regime, “suggesting the attack is aimed at potential supporters of such movements within the country.”

Related: Cyberespionage Campaign Targets Android Users in Middle East

Related: Twitter Removes Iran-Linked Accounts Aimed at Disruption

Related: Hackers Collecting Intelligence on Opponents to Iranian Regime

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.