Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.

The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload.

The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran. 

Ferocious Kitten stayed under the radar for at least six years until Kaspersky researchers flagged a pair of maliciously rigged Microsoft Word .docs that were uploaded to Google’s VirusTotal malware scanning utility. 

One of the documents was booby-trapped with a malware called ‘MarkiRAT’ that Kaspersky says is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine. 

“We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method,” Kaspersky said in a paper posted on its SecureList website.

The company said it observed code overlap with different cyber-surveillance operators targeting Persian-speaking individuals in Iran.  Specifically, Kaspersky said some of the TTPs used by Ferocious Kitten are reminiscent of an Iran-based actor called Domestic Kitten that targets Iranian citizens.

In a technical analysis, Kasperky said it found several variants of the MarkiRAT malware, including one that was used to intercept the execution and piggy-back on the launching the widely deployed Telegram chat application.

A separate variant was also seen targeting Google’s Chrome browser, using the BITS utility and code to modify the Chrome shortcut to launch the malware whenever the victim runs the Chrome browser.

Kaspersky also documented a pair of domains within the Ferocious Kittle command-and-control infrastructure that suggests the use of Android implants in the cyber-espionage attacks.  The company said it was unable to find a sample of the Android implant. 

“The attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the malicious websites used subdomains impersonating popular services in Iran to appear legitimate,” Kaspersky said, noting that a subset of the attacks even targeted the Psiphon open-source VPN tool that is used by Iranians to bypass internet censorship.

“The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users,” Kaspersky said, noting that that decoy contents displayed by the malicious files often used political themes and involved images or videos of resistance bases or strikes against the Iranian regime, “suggesting the attack is aimed at potential supporters of such movements within the country.”

Related: Cyberespionage Campaign Targets Android Users in Middle East

Related: Twitter Removes Iran-Linked Accounts Aimed at Disruption

Related: Hackers Collecting Intelligence on Opponents to Iranian Regime

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.