Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Ferocious Kitten
Threat Actor Profile

Ferocious Kitten

Ferocious Kitten is an Iranian-aligned advanced persistent threat (APT) group first identified in 2015. This group primarily engages in cyber espionage operations, with a focus on Middle Eastern targets but has been observed reaching into global networks. Known for using malicious Telegram applications as a lure, Ferocious Kitten is affiliated with broader Iranian state-backed activity clusters. Their primary methods include surveillance malware, phishing, and social engineering campaigns.

Threat Actor Profile

Ferocious Kitten

Country of Origin

Ferocious Kitten is attributed to Iran, with a strong nexus to state-aligned intelligence and domestic security operations. This attribution is widely supported by multiple threat intelligence vendors.

Members

The exact size and composition of Ferocious Kitten remain unclear. Their operations, however, often reflect coordination among highly skilled attackers, leveraging custom tooling and advanced espionage techniques — indicative of contractor or state-sponsored capabilities.

Leadership

No specific leaders or aliases have been publicly identified for this group.

Ferocious Kitten TTPs

Tactics

Primarily engages in cyber espionage campaigns to gather intelligence on dissidents, regional rivals, and geopolitical targets.

Techniques

  • Weaponized Telegram applications embedding malware.

  • Credential theft and spyware installation.

  • Social engineering through fake messaging apps.

Procedures

  • Deployment of custom malware such as MarkiRAT.

  • Malicious updates through compromised apps.

  • Covert surveillance of targets' communications.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

  • Malware families: MarkiRAT, Pupyrat variants

  • Infrastructure: Malicious Telegram channels and delivery domains (sources vary; see vendor-specific threat reports below).

Specific IOCs: Unknown/No credible information available for public listing; details appear in restricted threat feeds.

Key Victims

Predominantly Middle Eastern dissidents and political activists. Some spillover to international targets through malware propagation.

Notable Cyberattacks

2015-2021

Use of malicious Telegram apps to spy on Iranian citizens.

2021

Check Point documented campaigns delivering MarkiRAT via Trojanized Telegram apps targeting Android users in Iran and abroad.

Law Enforcement & Arrests

No arrests or takedowns have been publicly attributed to Ferocious Kitten activity.

Glitch effectGlitch effect

How to Defend Against Ferrocious Kitten

1

Enforcing mobile device management (MDM) to block unauthorized apps.

2

Continuous endpoint monitoring to detect spyware and RAT behavior.

3

User education on avoiding unofficial app sources and phishing.

4

Leveraging Huntress’s managed endpoint detection and response (EDR) to proactively identify malicious behaviors like RAT installation and exfiltration.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Ferocious Kitten threats withenterprise-grade technology.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free