{ "id": "3320bd93-b7f0-4dbc-bd9e-3ca4b5ebf059", "created_at": "2026-04-06T00:22:19.220444Z", "updated_at": "2026-04-10T03:35:17.054763Z", "deleted_at": null, "sha1_hash": "c5ad30c3ecbd35d27287d9feaa053d43f92c4749", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57232, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:08:26 UTC\r\nHome \u003e List all groups \u003e Ferocious Kitten\r\n APT group: Ferocious Kitten\r\nNames\r\nFerocious Kitten (Kaspersky)\r\nG0137 (MITRE)\r\nCountry Iran\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription\r\n(Kaspersky) Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been\r\nactive over a large timespan, the group has mostly operated under the radar and, to the\r\nbest of our knowledge, has not been covered by security researchers. It only recently\r\nattracted attention when a lure document was uploaded to VirusTotal and was brought to\r\npublic knowledge by researchers on Twitter. Subsequently, one of its implants was\r\nanalyzed by a Chinese intelligence firm. We have been able to expand some of the\r\nfindings on the group and provide insights on additional variants. The malware dropped\r\nfrom the aforementioned document is dubbed MarkiRAT and is used to record\r\nkeystrokes and clipboard content, provide file download and upload capabilities as well\r\nas the ability to execute arbitrary commands on the victim’s machine. We were able to\r\ntrace the implant back to at least 2015, along with variants intended to hijack the\r\nexecution of the Telegram and Chrome applications as a persistence method.\r\nInterestingly, some of the TTPs used by this threat actor are reminiscent of other groups\r\noperating in the domain of dissident surveillance. For example, it used the same C2\r\ndomains across its implants for years, which was witnessed in the activity of Domestic\r\nKitten. In the same vein, the Telegram execution hijacking technique observed in this\r\ncampaign by Ferocious Kitten was also observed being used by Rampant Kitten, as\r\ncovered by Check Point. In our private report, we expand the details on these findings as\r\nwell as provide analysis and mechanics of the MarkiRAT malware.\r\nObserved Sectors: Persian-speaking individuals.\r\nTools used MarkiRAT.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e4c70f58-d897-472b-8a10-577c0239a678\r\nPage 1 of 2\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e4c70f58-d897-472b-8a10-577c0239a678\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e4c70f58-d897-472b-8a10-577c0239a678\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e4c70f58-d897-472b-8a10-577c0239a678" ], "report_names": [ "showcard.cgi?u=e4c70f58-d897-472b-8a10-577c0239a678" ], "threat_actors": [ { "id": "4a1e62ec-42d0-47c3-8b65-b3c5d9c496c0", "created_at": "2022-10-25T16:07:23.609046Z", "updated_at": "2026-04-10T02:00:04.686029Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "G0137" ], "source_name": "ETDA:Ferocious Kitten", "tools": [ "MarkiRAT" ], "source_id": "ETDA", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75297180-4681-4500-ad0e-cde0edeb1ed2", "created_at": "2024-02-06T02:00:04.156486Z", "updated_at": "2026-04-10T02:00:03.581217Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [], "source_name": "MISPGALAXY:Ferocious Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null }, { "id": "306b00c6-fec4-4698-86c5-2aed9feedd38", "created_at": "2022-10-25T15:50:23.444155Z", "updated_at": "2026-04-10T02:00:05.401052Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "Ferocious Kitten" ], "source_name": "MITRE:Ferocious Kitten", "tools": [ "MarkiRAT", "BITSAdmin" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434939, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5ad30c3ecbd35d27287d9feaa053d43f92c4749.pdf", "text": "https://archive.orkl.eu/c5ad30c3ecbd35d27287d9feaa053d43f92c4749.txt", "img": "https://archive.orkl.eu/c5ad30c3ecbd35d27287d9feaa053d43f92c4749.jpg" } }