3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Ferocious Kitten

Ferocious Kitten

ID: d6a82c66fa050b068fbfbbe2ec32eb7356544
Cybercrime State-Sponsored
Threat types: Espionage, Malware, Phishing
Iran IRN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 55% Completeness: 57% Freshness: 50%
Operation zone: Iran
Aliases Limited alias preview
FerociousKitten
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Ferocious Kitten (G0137) is an Iran-focused espionage actor active since at least 2015 that deploys MarkiRAT via weaponized documents and application-hijacking to collect keystrokes, clipboard and files from Persian-speaking targets.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2020-07-01 — Spearphishing attachments (weaponized Word documents with macros) were used to drop MarkiRAT payloads that decode embedded executables and write them to disk. · ref
T1204 User Execution TA0002
  • 2021-03-01 — Victims required to enable macros or run dropped binaries (examples: dropped 'update.exe' copied to startup as 'svehost.exe') to establish persistence. · ref
T1056 Input Capture TA0006 TA0009
  • 2015-01-01 — MarkiRAT implements keylogging and clipboard capture to harvest typed content and clipboard data from infected hosts. · ref
T1543 Create or Modify System Process TA0003 TA0004
  • 2018-02-01 — Variants hijack execution of Telegram Desktop and Chrome to obtain persistence and ensure continued execution of payloads. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T13:16:17+00:00
FEROCIOUS KITTEN — Covert surveillance of Persian-speaking users (MarkiRAT operator)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Ferocious Kitten (MITRE Group G0137) is a threat actor active since at least 2015 that has conducted covert cyber-espionage against Persian-speaking individuals in Iran. The group deploys a custom Windows RAT (named MarkiRAT), uses weaponized document attachments and tailored decoys, and has variants that hijack popular local applications (Telegram, Chrome) and target Android as well as Windows platforms. Kaspersky’s forensic analysis (published 2021) documents MarkiRAT functionality (keylogging, clipboard capture, file upload/download, remote command execution), persistence techniques, and long-running reuse of infrastructure and domains such as updatei[.]com. Public reporting and press coverage corroborate the Iran-focused victimology and long dwell time. Overall confidence: high for core facts (actor identity, primary tooling, victimology).


  • Industries / Sectors: Primarily individuals and civil society actors (Persian-speaking users) — activists, journalists, and users of local Iranian services; targeting is person-centric rather than broad corporate targeting.
  • Geography (Region): Middle East / Iran-centric operations.
  • Countries (if available): Iran (primary observed victims).
  • Timeframe: 2015 – present (observed through 2021 reporting; actor page maintained by MITRE 2021 → 2025).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.