Trending

ee-track">
Link copied!

Table of Contents

Cutting Kitten

Threat Actor Profile: Cutting Kitten 

Overview 

Cutting Kitten is a state-sponsored Iranian threat actor group that has been actively targeting organizations across the Middle East and internationally since at least 2015. Known for its wide-reaching operations, Cutting Kitten focuses on sectors critical to national infrastructure and economic stability, including government, energy, telecommunications, and finance.  

Its tactics, techniques, and procedures (TTPs) often center around social engineering, exploiting human vulnerabilities, and taking advantage of recently discovered and patched vulnerabilities. The group’s operations include advanced supply chain attacks, command and control (C2) via custom DNS tunneling protocols, and the use of web shells and backdoors to maintain persistent access. 

image 28

Although the group operates with a high level of sophistication, its approach tends to be calculated and methodical, targeting organizations and industries with precision. Cutting Kitten’s presence is notable for its reliance on custom malware families, some of which are used for reconnaissance, data exfiltration, and network disruption. 

Operational Tactics and Techniques 

Cutting Kitten is known for its multifaceted approach to cyber espionage and disruption. The group typically gains initial access through phishing and exploitation of vulnerabilities in public-facing applications.  

image 29
Cutting Kitten Attack Chain (Source: Cyble)

Once inside a victim network, the group often moves laterally using stolen credentials and exploits weak security protocols, positioning itself for deeper infiltration and data exfiltration. The group’s toolkit includes a variety of backdoors and custom malware families. 

Malware Families Used by Cutting Kitten 

image 30
Malware families used by Cutting Kitten (Source: Cyble Vision)

Cutting Kitten employs a wide range of malware families and tools for both initial access and persistence within compromised environments. Below is an overview of some of the most significant malware families associated with the group: 

  • CsExt: It is a C#-based backdoor that runs as a service, executing commands from a configuration file at scheduled times. It enables remote control of compromised systems, often for data exfiltration or maintaining a persistent foothold, though its exact purpose can vary. 
  • Jasus: A network manipulation tool that performs ARP cache poisoning attacks. Developed in C, it’s a basic tool but effective due to its ability to evade antivirus detection, enabling man-in-the-middle attacks and intercepting network traffic. 
  • KAgent: A wiper linked to North Korean cyber operations. While its exact role in Cutting Kitten’s toolkit is unclear, it is primarily used for data wiping, disrupting systems, and deleting critical information. 
  • Leash: Leash is an IRC bot from the Magic Hound campaign, used to communicate with a C2 server. It issues commands to compromised systems, enabling data exfiltration, reconnaissance, or the deployment of additional payloads. 
  • TinyZBot: A C#-based bot that supports keylogging, screenshot capture, and SMTP exfiltration. It can self-update, disable antivirus software, and maintain long-term persistence, providing ongoing access to sensitive data. 
  • WndTest: WndTest is a backdoor tool evolved from the PVZ toolchain, capable of keystroke logging, clipboard monitoring, and C2 communications via PHP servers. It allows for surveillance and remote control of infected systems. 

Targeted Countries and Industries 

Cutting Kitten operates on a global scale, but its primary focus is the Middle East and North Africa (MEA), with a heavy concentration on countries such as Iran, the United Arab Emirates, Saudi Arabia, and Qatar.  

image 31
Regions/Nations Targeted by Cutting Kitten (Source: Cyble)

However, their reach extends far beyond the region, targeting nations across Europe, Asia, and the Americas, including Canada, Germany, France, the United Kingdom, Israel, the United States, and India. 

The group’s activities affect a wide range of sectors, including: 

  • Aerospace & Defense 
  • Banking, Financial Services, and Insurance (BFSI) 
  • Energy & Utilities 
  • Telecommunications 
  • Chemical Manufacturing 
  • Healthcare 
  • Education 
  • Government & Law Enforcement Agencies 

Exfiltration and Data Harvesting Techniques 

One of the most notable aspects of Cutting Kitten’s operations is its data exfiltration techniques. The group frequently uses DNS tunneling as a covert method for command and control (C2) communications, enabling them to exfiltrate data through seemingly legitimate DNS queries. This allows them to avoid detection by conventional security tools that monitor typical C2 channels. 

The group is also known for its supply chain attacks, leveraging trusted software or hardware providers to infiltrate target networks. Through these attacks, Cutting Kitten is able to gain initial access without directly exploiting vulnerabilities in the target organization. 

Conclusion 

Cutting Kitten is a technically advanced Iranian cyber espionage group, leveraging a wide range of tactics, techniques, and tools to achieve its objectives. Known for its focus on data exfiltration, persistent access, and disruption, the group primarily targets critical sectors such as telecommunications, energy, financial services, and government.  

With advanced malware families, including backdoors, wipers, and tunneling tools, Cutting Kitten maintains a stealthy and adaptable presence, making detection challenging. To defend against these threats, organizations must implement strong cybersecurity measures, such as multi-factor authenticationendpoint protection, and regular patching. 

image 32
Cyble Threat Actor Library (Source: Cyble Vision)

For proactive defense, Cyble provides cutting-edge, AI-powered threat intelligence solutions, helping organizations stay ahead of emerging threats like Cutting Kitten. As a globally recognized leader in threat intelligence, Cyble’s platform offers real-time insights, advanced detection, and incident management capabilities, empowering your security teams to act quickly. 

Book a free demo today or explore how Cyble’s external threat assessment report strengthens your security stack. 

Recommendation and Mitigation Strategies 

  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical systems to prevent unauthorized access, particularly in the event of stolen credentials. 
  • Regular Patch Management: Ensure timely patching of public-facing applications and systems to eliminate vulnerabilities that Cutting Kitten exploits, especially after patches are released. 
  • Enhanced Phishing Protection: Use advanced email filtering, anti-phishing tools, and user training to mitigate the risk of social engineering attacks, which are common in the group’s initial access phase. 
  • Network Segmentation: Divide networks into segments to limit lateral movement. This strategy reduces the impact of an intruder moving between systems and helps isolate compromised areas. 
  • DNS Traffic Monitoring: Monitor DNS traffic for unusual patterns, including DNS tunneling attempts, to detect covert C2 communications that are part of Cutting Kitten’s exfiltration methods. 
  • Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and block malware like TinyZBot, WndTest, and CsExt that are commonly used by Cutting Kitten to maintain persistence and exfiltrate data. 
  • Supply Chain Security: Assess and secure third-party vendors and suppliers to prevent supply chain attacks, a primary entry point for Cutting Kitten into target networks. 
  • Continuous Threat Intelligence Integration: Leverage advanced threat intelligence platforms like Cyble’s to get real-time insights and proactive alerts on emerging Cutting Kitten tactics, malware, and attack infrastructure, ensuring swift mitigation. 

MITRE ATT&CK Techniques Associated with Cutting Kitten 

image 33
MITRE ATT&CK Techniques (Source: Cyble Vision)  
  • OS Credential Dumping (T1003): Attempt to dump credentials, either in hash or clear-text form, from the operating system to gain access to accounts and perform lateral movement or access restricted information. 
  • Adversary-in-the-Middle (T1557): Adversaries position themselves between networked devices, intercepting traffic for activities like sniffing, data manipulation, or replay attacks, often by manipulating DNS settings to control traffic flow and exfiltrate user credentials. 
  • Establish Accounts (T1585): Create and develop online personas or identities, often on social media, to build legitimacy for social engineering or phishing campaigns. These accounts may also be used for further infiltration efforts. 
  • Develop Capabilities (T1587): Design and build their own tools, such as malware or exploits, to support their operations, often creating customized capabilities in-house rather than using off-the-shelf solutions. 
  • Obtain Capabilities (T1588): Acquire capabilities by purchasing or stealing pre-developed tools, malware, or exploits from external sources, to enhance their targeting efforts. 
  • Custom DNS Tunneling (T1071.004): Use DNS tunneling for command-and-control communications, bypassing traditional detection systems by embedding malicious data within DNS queries. 
  • Exfiltration Over Web Service (T1071.001): Data is exfiltrated through commonly used web services like HTTP or HTTPS, masking the activity within legitimate traffic to avoid detection. 

Disclaimer: This profile is based on OSINT, Cyble research, and external sources. Cyble is not responsible for the accuracy of the data or any misuse of the information presented. 

Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Subscribe to Cyble

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams