Skip to content

G0137 Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.1

Item Value
ID G0137
Associated Names
Version 1.0
Created 28 September 2021
Last Modified 25 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Ferocious Kitten has acquired domains imitating legitimate sites.1
enterprise T1036 Masquerading -
enterprise T1036.002 Right-to-Left Override Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.1
enterprise T1036.005 Match Legitimate Name or Location Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host’s “Public” folder.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.1


ID Name References Techniques
S0190 BITSAdmin - BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0652 MarkiRAT - Web Protocols:Application Layer Protocol BITS Jobs Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Password Managers:Credentials from Password Stores Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Native API Process Discovery Screen Capture Software Discovery Security Software Discovery:Software Discovery System Information Discovery System Language Discovery:System Location Discovery System Owner/User Discovery


Back to top