{ "id": "77133456-abc2-40ba-8dc3-6c35ba70b5fd", "created_at": "2026-04-06T00:19:43.440976Z", "updated_at": "2026-04-10T13:12:03.953859Z", "deleted_at": null, "sha1_hash": "c4e616dbbc5d8daa4f73cf3825e0b7ad33636b71", "title": "Domestic Kitten campaign spying on Iranian citizens with new FurBall malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 779376, "plain_text": "Domestic Kitten campaign spying on Iranian citizens with new FurBall\r\nmalware\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 13:58:08 UTC\r\nESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten\r\ncampaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance\r\noperations against Iranian citizens and this new FurBall version is no different in its targeting. Since June 2021, it has been\r\ndistributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The\r\nmalicious app was uploaded to VirusTotal where it triggered one of our YARA rules (used to classify and identify malware\r\nsamples), which gave us the opportunity to analyze it.\r\nThis version of FurBall has the same surveillance functionality as previous versions; however, the threat actors slightly\r\nobfuscated class and method names, strings, logs, and server URIs. This update required small changes on the C\u0026C server\r\nas well – precisely, names of server-side PHP scripts. Since the functionality of this variant hasn’t changed, the main\r\npurpose of this update appears to be to avoid detection by security software. These modifications have had no effect on\r\nESET software, however; ESET products detect this threat as Android/Spy.Agent.BWS.\r\nThe analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under\r\nthe radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted\r\nvia text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data\r\nfrom affected phones, such as SMS messages, device location, recorded phone calls, and much more.\r\nKey points of this blogpost:\r\nThe Domestic Kitten campaign is ongoing, dating back to at least 2016.\r\nIt mainly targets Iranian citizens.\r\nWe discovered a new, obfuscated Android Furball sample used in the campaign.\r\nIt is distributed using a copycat website.\r\nThe analyzed sample has only restricted spying functionality enabled, to stay under the radar.\r\nDomestic Kitten overview\r\nThe APT-C-50 group, in its Domestic Kitten campaign, has been conducting mobile surveillance operations against Iranian\r\ncitizens since 2016, as reported by Check Point in 2018. In 2019, Trend Micro identified a malicious campaign, possibly\r\nconnected to Domestic Kitten, targeting the Middle East, naming the campaign Bouncing Golf. Shortly after, in the same\r\nyear, Qianxin reported a Domestic Kitten campaign again targeting Iran. In 2020, 360 Core Security disclosed surveillance\r\nactivities of Domestic Kitten targeting anti-government groups in the Middle East. The last known publicly available report\r\nis from 2021 by Check Point.\r\nFurBall – Android malware used in this operation since these campaigns began – is created based on the commercial\r\nstalkerware tool KidLogger. It seems that the FurBall developers were inspired by the open-source version from seven years\r\nago that is available on Github, as pointed out by Check Point.\r\nDistribution\r\nThis malicious Android application is delivered via a fake website mimicking a legitimate site that provides articles and\r\nbooks translated from English to Persian (downloadmaghaleh.com). Based on the contact information from the legitimate\r\nwebsite, they provide this service from Iran, which leads us to believe with high confidence that the copycat website targets\r\nIranian citizens. The purpose of the copycat is to offer an Android app for download after clicking on a button that says, in\r\nPersian, “Download the application”. The button has the Google Play logo, but this app is not available from the Google\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 1 of 8\n\nPlay store; it is downloaded directly from the attacker’s server. The app was uploaded to VirusTotal where it triggered one of\r\nour YARA rules.\r\nIn Figure 1 you can see a comparison of the fake and legitimate websites.\r\nFigure 1. Fake website (left) vs the legitimate one (right)\r\nBased on the last modified information that is available in the APK download’s open directory on the fake website (see\r\nFigure 2), we can infer that this app has been available for download at least since June 21st, 2021.\r\nFigure 2. Open directory information for the malicious app\r\nAnalysis\r\nThis sample is not fully working malware, even though all spyware functionality is implemented as in its previous versions.\r\nNot all of its spyware functionality can be executed, however, because the app is limited by the permissions defined in its\r\nAndroidManifest.xml. If the threat actor expands the app permissions, it would also be capable of exfiltrating:\r\ntext from clipboard,\r\ndevice location,\r\nSMS messages,\r\ncontacts,\r\ncall logs,\r\nrecorded phone calls,\r\ntext of all notifications from other apps,\r\ndevice accounts,\r\nlist of files on device,\r\nrunning apps,\r\nlist of installed apps, and\r\ndevice info.\r\nIt can also receive commands to take photos and record video, with the results being uploaded to the C\u0026C server. The\r\nFurball variant downloaded from the copycat website can still receive commands from its C\u0026C; however, it can only\r\nperform these functions:\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 2 of 8\n\nexfiltrate contact list,\r\nget accessible files from external storage,\r\nlist installed apps,\r\nobtain basic information about the device, and\r\nget device accounts (list of user accounts synced with device).\r\nFigure 3 shows permission requests that do need to be accepted by the user. These permissions might not create an\r\nimpression of being a spyware app, especially given that it poses as a translation app.\r\nFigure 3. List of requested permissions\r\nAfter installation, Furball makes an HTTP request to its C\u0026C server every 10 seconds, asking for commands to execute, as\r\ncan be seen in the upper panel of Figure 4. The lower panel depicts a “there’s nothing to do at the moment” response from\r\nthe C\u0026C server.\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 3 of 8\n\nFigure 4. Communication with C\u0026C server\r\nThese latest samples have no new features implemented, except for the fact that the code has simple obfuscation applied.\r\nObfuscation can be spotted in class names, method names, some strings, logs, and server URI paths (which would also have\r\nrequired small changes on the backend). Figure 5 compares the class names of the older Furball version and the new version,\r\nwith obfuscation.\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 4 of 8\n\nFigure 5. Comparison of class names of the older version (left) and new version (right)\r\nFigure 6 and Figure 7 display the earlier sendPost and new sndPst functions, highlighting the changes that this obfuscation\r\nnecessitates.\r\nFigure 6. Older non-obfuscated version of code\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 5 of 8\n\nFigure 7. The latest code obfuscation\r\nThese elementary changes, due to this simple obfuscation, resulted in fewer detections on VirusTotal. We compared the\r\ndetection rates of the sample discovered by Check Point from February 2021 (Figure 8) with the obfuscated version\r\navailable since June 2021 (Figure 9).\r\nFigure 8. Non-obfuscated version of the malware detected by 28/64 engines\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 6 of 8\n\nFigure 9. Obfuscated version of the malware detected by 4/63 engines when first uploaded to VirusTotal\r\nConclusion\r\nThe Domestic Kitten campaign is still active, using copycat websites to target Iranian citizens. The operator’s goal has\r\nchanged slightly from distributing full-featured Android spyware to a lighter variant, as described above. It requests only\r\none intrusive permission – to access contacts – most likely to stay under the radar and not to attract the suspicion of potential\r\nvictims during the installation process. This also might be the first stage of gathering contacts that could by followed by\r\nspearphishing via text messages.\r\nBesides reducing its active app functionality, the malware writers tried to decrease the number of detections by\r\nimplementing a simple code obfuscation scheme to hide their intensions from mobile security software.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the\r\nESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 Package Name ESET detection name Description\r\nBF482E86D512DA46126F0E61733BCA4352620176 com.getdoc.freepaaper.dissertation Android/Spy.Agent.BWS\r\nMalware imp\r\ntran (سرای مقاله\r\nArticle House\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1476\r\nDeliver Malicious App\r\nvia Other Means\r\nFurBall is delivered via direct download links behind fake\r\nGoogle Play buttons.\r\nT1444\r\nMasquerade as\r\nLegitimate Application\r\nCopycat website provides links to download FurBall.\r\nPersistence T1402 Broadcast Receivers\r\nFurBall receives the BOOT_COMPLETED broadcast\r\nintent to activate at device startup.\r\nDiscovery T1418 Application Discovery FurBall can obtain a list of installed applications.\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nT1426\r\nSystem Information\r\nDiscovery\r\nFurBall can extract information about the device including\r\ndevice type, OS version, and unique ID.\r\nCollection\r\nT1432 Access Contact List FurBall can extract the victim’s contact list.\r\nT1533 Data from Local System FurBall can extract accessible files from external storage.\r\nCommand and\r\nControl\r\nT1436 Commonly Used Port\r\nFurBall communicates with C\u0026C server using HTTP\r\nprotocol.\r\nExfiltration T1437\r\nStandard Application\r\nLayer Protocol\r\nFurBall exfiltrates collected data over standard HTTP\r\nprotocol.\r\nSource: https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nhttps://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/" ], "report_names": [ "domestic-kitten-campaign-spying-iranian-citizens-furball-malware" ], "threat_actors": [ { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c80783db-2b34-4321-ac7e-9a13692ffa31", "created_at": "2022-10-25T15:50:23.853579Z", "updated_at": "2026-04-10T02:00:05.422314Z", "deleted_at": null, "main_name": "Bouncing Golf", "aliases": [ "Bouncing Golf" ], "source_name": "MITRE:Bouncing Golf", "tools": [ "GolfSpy" ], "source_id": "MITRE", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434783, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4e616dbbc5d8daa4f73cf3825e0b7ad33636b71.pdf", "text": "https://archive.orkl.eu/c4e616dbbc5d8daa4f73cf3825e0b7ad33636b71.txt", "img": "https://archive.orkl.eu/c4e616dbbc5d8daa4f73cf3825e0b7ad33636b71.jpg" } }