S0652: MarkiRAT
MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[1]
Analyst context for executives and security teams
MarkiRAT matters because ATT&CK describes it as a Windows remote access Trojan associated with long-running surveillance activity. The relationship set maps it to behaviors that can turn one compromised workstation into a collection point: user and system discovery, command shell execution, persistence through Windows startup mechanisms, data staging, credential collection, screen/clipboard/key capture, web-based command and control, and exfiltration over that channel.
Executive priority
Treat this as a Windows endpoint resilience and sensitive-data exposure problem, not just a malware name. Leaders should ask whether high-risk users and systems have endpoint visibility, whether persistence mechanisms such as Run keys, startup folders, shortcuts, and BITS jobs are monitored, and whether SOC/IR teams can prove collection and exfiltration activity from a workstation. The Ferocious Kitten relationship and cited reporting provide threat-intelligence context, but local prioritization should be driven by business exposure, user risk, and data sensitivity.
Technical view
ATT&CK lists MarkiRAT on Windows and provides no official detection text, so validation should be behavior-led using the mapped techniques. SOC teams should test visibility for Windows command shell execution, native API-driven activity, process/user/system/software/security-tool discovery, local file and directory enumeration, local data staging, password-manager access, clipboard/screen/keylogging-related activity, BITS job abuse, Registry Run key/startup folder and shortcut persistence, inbound tool transfer, web-protocol C2, and exfiltration over the same C2 channel. Relationship context says Ferocious Kitten uses MarkiRAT; use that for enrichment, not as a standalone detection condition.
Likely telemetry
- Windows EDR process creation, parent/child process, command-line, and module/API activity
- Registry modification telemetry for Run keys and startup-related persistence
- File system telemetry for startup folder and shortcut creation or modification
- BITS job creation, modification, and transfer history
- Windows command shell execution events
Detection direction
- Build detections around technique chains rather than the malware name: discovery followed by staging, persistence, C2, and exfiltration is more actionable than any single weak signal.
- Correlate Windows persistence changes with nearby command shell execution, BITS activity, tool transfer, or unusual outbound web traffic.
- Tune discovery detections carefully because user, process, file, software, and security-tool enumeration can overlap with administration and inventory tools; prioritize unusual parent processes, user context, timing, and destination context.
- For web-protocol C2, validate whether proxy/DNS/firewall logs preserve endpoint, user, process, URL/domain, timing, and volume context; encrypted traffic may limit content inspection.
- For collection behaviors such as screen capture, clipboard access, keylogging, and password-manager access, confirm whether endpoint controls actually expose these events; many environments have blind spots here.
Mitigation priorities
- Prioritize hardened Windows endpoint controls for high-risk users and systems, including prevention and monitoring of unauthorized persistence through Run keys, startup folders, shortcuts, and BITS jobs.
- Limit the ability of untrusted processes to run command shells, transfer tools, or interact with sensitive local data where business operations allow.
- Protect credential stores and password managers with strong access controls, user training, and monitoring for suspicious access patterns; assume credential exposure may require response actions if confirmed.
- Ensure egress controls, proxy logging, and DNS/firewall monitoring can support investigation of web-protocol C2 and exfiltration over the same channel.
- Maintain incident response playbooks that cover workstation triage, persistence removal, credential reset decisions, data-exposure assessment, and threat-intelligence enrichment.
Analyst notes and limits
The ATT&CK object identifies MarkiRAT as a Visual Studio-compiled RAT used by Ferocious Kitten since at least 2015, with Kaspersky reporting as the cited source. The strongest defensive value comes from the mapped behaviors: discovery, collection, credential access, persistence, command and control, ingress transfer, and exfiltration. The malware object itself has no official detection guidance.
This take is limited to the supplied ATT&CK fields, external references, and relationships. ATT&CK lists the malware platform as Windows, while several related technique descriptions include broader platform coverage; do not infer non-Windows MarkiRAT deployment from this object alone. No indicators, hashes, infrastructure, prevalence, active exploitation status, or guaranteed detection logic were supplied.
MarkiRAT
MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1197 | BITS Jobs | MarkiRAT can use BITS Utility to connect with the C2 server.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | MarkiRAT can use the |
| Enterprise | T1033 | System Owner/User Discovery | MarkiRAT can retrieve the victim’s username.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1083 | File and Directory Discovery | MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1106 | Native API | MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1005 | Data from Local System | MarkiRAT can upload data from the victim's machine to the C2 server.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | MarkiRAT can capture all keystrokes on a compromised host.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1082 | System Information Discovery | MarkiRAT can obtain the computer name from a compromised host.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | MarkiRAT can exfiltrate locally stored data via its C2.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1555.005 | Password Managers Sub-technique | MarkiRAT can gather information from the Keepass password manager.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | MarkiRAT can masquerade as |
| Enterprise | T1057 | Process Discovery | MarkiRAT can search for different processes on a system.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MarkiRAT can store collected data locally in a created .nfo file.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1518 | Software Discovery | MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1115 | Clipboard Data | MarkiRAT can capture clipboard content.CitationKaspersky Ferocious Kitten Jun 2021 |
| Enterprise | T1113 | Screen Capture | MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.CitationKaspersky Ferocious Kitten Jun 2021 |
Groups, software, and campaigns
G0137: Ferocious Kitten
Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1725dd36065b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Ferocious Kitten Jun 2021
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Open source URL -
[2]
mitre-attack S0652Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.