"Kitten Caracala" attacks mobile phones of Kurdish political activists

Carding 4 Carders

Reaction score
Who is hiding behind the "Caracal Kitten" moustache? Chinese experts know the answer.

Experts of the company Qi An Xin discovered attacks on activists of the Kurdistan Democratic Party by a previously unknown cyber group called "Caracal Kitten".

Kurdistan is an autonomous region within Iraq, but in fact it is an independent state. The Republic is located in the Middle East, mainly in the northern part of Mesopotamia and in the Zagros Mountains.

The Caracal Kitten group distributed malware disguised as official mobile apps of the Kurdistan Democratic Party (KDP). Users mistaking these apps for real ones installed them and unwittingly gave hackers access to their contacts, SMS messages, and messenger data.

When investigating the malware campaign, Qi An Xin analysts found that cybercriminals were using two types of malware at once: MOrder RAT and Ahmyth RAT. The first one was used to receive and execute remote commands from the hackers ' C2 server, including uploading contacts, SMS messages, and other data, while the second one allowed for hidden photo and video recordings, audio recordings,and access to the victim's geolocation.

It was found that attacks on KDP were carried out in two stages-in the summer of 2021 and from May 2023 to the present. Analyzing the technical details, experts came to the conclusion that a group associated with the regime of one of the Middle Eastern countries is behind the attacks.

Due to the specific tactics of hackers, the researchers gave their group the name "Caracal Kitten" or "Caracal kitten". The caracal is a breed of cat found in some countries of the Middle East.

The malware code detected time zone settings corresponding to the Middle East. And some of the IP addresses used by hackers belong to major telecom operators in this region.

Experts at Qi An Xin recommend that users update their gadget software in a timely manner, avoid questionable apps, avoid opening unknown links, and use mobile security tools.