A cyber-espionage operation has been covertly targeting Persian-speaking individuals in Iran for at least six years, according to a new report from Kaspersky.

The threat actor behind this campaign tracked by Kaspersky as ‘Ferocious Kitten’ has been flying under radar since at least 2015, using a host of clever techniques to deploy its malware on victims’ devices. In particular, this newly discovered APT has been observed using a custom malware called “MarkiRAT” that steals data and can execute commands on the victim’s machine, with some the variants able to hijack the infected user’s Chrome browser and their Telegram app.

The cyber-espionage campaign came to light when Kaspersky spotted two suspicious Microsoft Word documents that were uploaded to VirusTotal in July 2020 and March 2021. The documents disguised as images or videos that depict action against the Iranian regime contained malicious macros. Upon enabling attached content, the MarkiRAT malware was dropped to the targeted system. This malware is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine, Kaspersky said.

The researchers found several MarkiRAT variants, one of which is able to intercept the execution of Telegram and launch the malware along with it.

“If present, MarkiRAT copies itself to this repository and then modifies the shortcut that launches Telegram to execute this modified repository with the application itself,” the researchers wrote.

A separate MarkiRAT variant alters the device’s Chrome browser shortcut so that the MarkiRAT payload is executed alongside the legitimate app. Yet another variant is a backdoored version of Psiphon, an open source VPN tool often used to bypass internet censorship.

Kaspersky said it discovered evidence that Ferocious Kitten has developed malicious implants targeting Android devices, but was unable to obtain any specific samples for analysis.

“While the MarkiRAT malware and accompanying toolset isn’t particularly sophisticated, it is interesting that the group created such specialized variants for Chrome and Telegram. It suggests the threat actors are focused more on adapting their existing toolset to their target environments rather than enriching it with features and capabilities. It’s also quite possible that the group is running several campaigns targeting different platforms,” the researchers said.