Overview
Cutting Kitten is a state-sponsored Iranian threat actor group that has been actively targeting organizations across the Middle East and internationally since at least 2015. Known for its wide-reaching operations, Cutting Kitten focuses on sectors critical to national infrastructure and economic stability, including government, energy, telecommunications, and finance.
Its tactics, techniques, and procedures (TTPs) often center around social engineering, exploiting human vulnerabilities, and taking advantage of recently discovered and patched vulnerabilities. The group’s operations include advanced supply chain attacks, command and control (C2) via custom DNS tunneling protocols, and the use of web shells and backdoors to maintain persistent access.

Although the group operates with a high level of sophistication, its approach tends to be calculated and methodical, targeting organizations and industries with precision. Cutting Kitten’s presence is notable for its reliance on custom malware families, some of which are used for reconnaissance, data exfiltration, and network disruption.
Operational Tactics and Techniques
Cutting Kitten is known for its multifaceted approach to cyber espionage and disruption. The group typically gains initial access through phishing and exploitation of vulnerabilities in public-facing applications.

Once inside a victim network, the group often moves laterally using stolen credentials and exploits weak security protocols, positioning itself for deeper infiltration and data exfiltration. The group’s toolkit includes a variety of backdoors and custom malware families.
Malware Families Used by Cutting Kitten

Cutting Kitten employs a wide range of malware families and tools for both initial access and persistence within compromised environments. Below is an overview of some of the most significant malware families associated with the group:
- CsExt: It is a C#-based backdoor that runs as a service, executing commands from a configuration file at scheduled times. It enables remote control of compromised systems, often for data exfiltration or maintaining a persistent foothold, though its exact purpose can vary.
- Jasus: A network manipulation tool that performs ARP cache poisoning attacks. Developed in C, it’s a basic tool but effective due to its ability to evade antivirus detection, enabling man-in-the-middle attacks and intercepting network traffic.
- KAgent: A wiper linked to North Korean cyber operations. While its exact role in Cutting Kitten’s toolkit is unclear, it is primarily used for data wiping, disrupting systems, and deleting critical information.
- Leash: Leash is an IRC bot from the Magic Hound campaign, used to communicate with a C2 server. It issues commands to compromised systems, enabling data exfiltration, reconnaissance, or the deployment of additional payloads.
- TinyZBot: A C#-based bot that supports keylogging, screenshot capture, and SMTP exfiltration. It can self-update, disable antivirus software, and maintain long-term persistence, providing ongoing access to sensitive data.
- WndTest: WndTest is a backdoor tool evolved from the PVZ toolchain, capable of keystroke logging, clipboard monitoring, and C2 communications via PHP servers. It allows for surveillance and remote control of infected systems.
Targeted Countries and Industries
Cutting Kitten operates on a global scale, but its primary focus is the Middle East and North Africa (MEA), with a heavy concentration on countries such as Iran, the United Arab Emirates, Saudi Arabia, and Qatar.

However, their reach extends far beyond the region, targeting nations across Europe, Asia, and the Americas, including Canada, Germany, France, the United Kingdom, Israel, the United States, and India.
The group’s activities affect a wide range of sectors, including:
- Aerospace & Defense
- Banking, Financial Services, and Insurance (BFSI)
- Energy & Utilities
- Telecommunications
- Chemical Manufacturing
- Healthcare
- Education
- Government & Law Enforcement Agencies
Exfiltration and Data Harvesting Techniques
One of the most notable aspects of Cutting Kitten’s operations is its data exfiltration techniques. The group frequently uses DNS tunneling as a covert method for command and control (C2) communications, enabling them to exfiltrate data through seemingly legitimate DNS queries. This allows them to avoid detection by conventional security tools that monitor typical C2 channels.
The group is also known for its supply chain attacks, leveraging trusted software or hardware providers to infiltrate target networks. Through these attacks, Cutting Kitten is able to gain initial access without directly exploiting vulnerabilities in the target organization.
Conclusion
Cutting Kitten is a technically advanced Iranian cyber espionage group, leveraging a wide range of tactics, techniques, and tools to achieve its objectives. Known for its focus on data exfiltration, persistent access, and disruption, the group primarily targets critical sectors such as telecommunications, energy, financial services, and government.
With advanced malware families, including backdoors, wipers, and tunneling tools, Cutting Kitten maintains a stealthy and adaptable presence, making detection challenging. To defend against these threats, organizations must implement strong cybersecurity measures, such as multi-factor authentication, endpoint protection, and regular patching.

For proactive defense, Cyble provides cutting-edge, AI-powered threat intelligence solutions, helping organizations stay ahead of emerging threats like Cutting Kitten. As a globally recognized leader in threat intelligence, Cyble’s platform offers real-time insights, advanced detection, and incident management capabilities, empowering your security teams to act quickly.
Book a free demo today or explore how Cyble’s external threat assessment report strengthens your security stack.
Recommendation and Mitigation Strategies
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical systems to prevent unauthorized access, particularly in the event of stolen credentials.
- Regular Patch Management: Ensure timely patching of public-facing applications and systems to eliminate vulnerabilities that Cutting Kitten exploits, especially after patches are released.
- Enhanced Phishing Protection: Use advanced email filtering, anti-phishing tools, and user training to mitigate the risk of social engineering attacks, which are common in the group’s initial access phase.
- Network Segmentation: Divide networks into segments to limit lateral movement. This strategy reduces the impact of an intruder moving between systems and helps isolate compromised areas.
- DNS Traffic Monitoring: Monitor DNS traffic for unusual patterns, including DNS tunneling attempts, to detect covert C2 communications that are part of Cutting Kitten’s exfiltration methods.
- Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and block malware like TinyZBot, WndTest, and CsExt that are commonly used by Cutting Kitten to maintain persistence and exfiltrate data.
- Supply Chain Security: Assess and secure third-party vendors and suppliers to prevent supply chain attacks, a primary entry point for Cutting Kitten into target networks.
- Continuous Threat Intelligence Integration: Leverage advanced threat intelligence platforms like Cyble’s to get real-time insights and proactive alerts on emerging Cutting Kitten tactics, malware, and attack infrastructure, ensuring swift mitigation.
MITRE ATT&CK Techniques Associated with Cutting Kitten

- OS Credential Dumping (T1003): Attempt to dump credentials, either in hash or clear-text form, from the operating system to gain access to accounts and perform lateral movement or access restricted information.
- Adversary-in-the-Middle (T1557): Adversaries position themselves between networked devices, intercepting traffic for activities like sniffing, data manipulation, or replay attacks, often by manipulating DNS settings to control traffic flow and exfiltrate user credentials.
- Establish Accounts (T1585): Create and develop online personas or identities, often on social media, to build legitimacy for social engineering or phishing campaigns. These accounts may also be used for further infiltration efforts.
- Develop Capabilities (T1587): Design and build their own tools, such as malware or exploits, to support their operations, often creating customized capabilities in-house rather than using off-the-shelf solutions.
- Obtain Capabilities (T1588): Acquire capabilities by purchasing or stealing pre-developed tools, malware, or exploits from external sources, to enhance their targeting efforts.
- Custom DNS Tunneling (T1071.004): Use DNS tunneling for command-and-control communications, bypassing traditional detection systems by embedding malicious data within DNS queries.
- Exfiltration Over Web Service (T1071.001): Data is exfiltrated through commonly used web services like HTTP or HTTPS, masking the activity within legitimate traffic to avoid detection.
Disclaimer: This profile is based on OSINT, Cyble research, and external sources. Cyble is not responsible for the accuracy of the data or any misuse of the information presented.