‘Ferocious Kitten’: the cyberspies preying on Iranian web users

Cyber security experts Kaspersky say the "Ferocious Kitten" espionage group has been active since at least 2015.
Cyber security experts Kaspersky say the "Ferocious Kitten" espionage group has been active since at least 2015. © istock

For years “Ferocious Kitten” has been harvesting information from Iranian web users, while remaining undetected by cybersecurity firms. Its espionage tools are ideally suited for domestic surveillance, according to a report by security experts.


The malware is concealed in a seemingly innocuous phrase, a bait presumably intended for critics of the Islamic Republic.

“My name is Hussein Jaffari, I was a prisoner of the regime between 1364 and 1365,” reads the message, referring to the years 1985-6 in the Persian calendar. Except Hussein Jaffari never even existed; he is merely a ploy, designed to lure readers into clicking on a file containing malicious surveillance software.

The gimmick is just one of many ruses used by a previously unknown group of cyberspies to ensnare Iranian web users. Its secretive activities were revealed by cybersecurity firm Kaspersky in a report published on Wednesday and seen by FRANCE 24.

Ferocious – and versatile

Dubbed “Ferocious Kitten” by Kaspersky, the group has operated under the radar since at least 2015, deploying a host of techniques to implant its malware on targeted mobile devices and personal computers.

Lures include pictures of anti-regime rallies which, once opened, allow the spyware to sneak into victims’ machines. “Ferocious Kitten” also designed copies of popular websites, such as Aparat, the Iranian YouTube, using them as vehicles for infection. It even circulated modified – and infected – versions of software typically used by Iranians to bypass the country’s internet censors. 

Once installed, the group's MarkiRAT malware gives the cyberspies ample access to victims’ personal data. 

“It’s a homemade remote access tool that we hadn’t encountered before,” said Paul Rascagnères, a threat researcher at Kaspersky, in an interview with FRANCE 24.

MarkiRAT automatically hunts for Microsoft Office files (Word, PowerPoint, Outlook etc) as well as pictures and folders containing passwords. It can record users’ keystrokes and even hijack Telegram, the encrypted messaging device often used to elude surveillance. “Ferocious Kitten” has also developed a variant of its spyware specifically designed for Android smartphones, which are far more popular in Iran than iPhones.

“Ferocious Kitten” is hardly alone in spying on Iranians deemed hostile to the regime. Other groups, including “Prince of Persia”, “Domestic Kitten” and “Charming Kitten”, are also known to eavesdrop on swathes of the public.

“Indeed some of the methods used by ‘Ferocious Kitten’ are common to the other groups too,” says Rascagnères. They include the use of duplicates of popular Iranian websites and the practise of posing as former political prisoners. 

Under the radar

When it comes to secrecy, however, “Ferocious Kitten” appears to have outlasted its peers.

Other groups suspected of spying on behalf of Iranian authorities have been known to cyber-security firms for several years now. Some, like “Prince of Persia”, were forced to close shop for a while after attracting too much scrutiny. The group had notably expanded its espionage activities to the US and Israel. 

>> Russian and Chinese cyberespionage puts Biden under pressure

In addition to monitoring homegrown dissidents, groups like “Charming Kitten” attempted to spy on members of former US president Donald Trump’s entourage and penetrated the servers of US pharmaceutical giants. Their international scope attracted the scrutiny of US authorities, leading to the indictment of four Iranian nationals for cyber espionage in 2019.

In contrast, “Ferocious Kitten” has stuck to a more limited agenda – which may also explain its success so far.

“Some of the evidence points to a more targeted approach to surveillance,” said Rascagnères. The group, for instance, only has a small number of command-and-control servers, suggesting it does not aim to target thousands of people around the world as “Prince of Persia” did.

The group has also programmed its malware to ensure “it only becomes active once it has checked the keyboard is in Persian”, noted the Kaspersky researcher – another indication that “Ferocious Kitten” is exclusively focused on Iranian targets, “in order to keep as low a profile as possible,” noted Rascagnères.

While its domestic focus may shield “Ferocious Kitten” from international scrutiny, Kaspersky’s latest discovery shows that cyber surveillance of the Iranian public is more extensive – and intrusive – than previously thought.

This article was adapted from the original in French.

Daily newsletterReceive essential international news every morning

Take international news everywhere with you! Download the France 24 app