Nemesis Kitten

Nemesis Kitten, also known as Lord Nemesis, is a malware attributed to an Iran-nexus threat group, closely aligned with the Iranian government. It emerged in late 2023 and quickly made its mark with a significant cyberattack on Rashim, a software company. The malware is known for exploiting misconfigurations and unpatched vulnerabilities in external-facing services, such as Microsoft Exchange and Log4j. As a subgroup of the Iranian threat actor Phosphorus (APT35), Nemesis Kitten is part of a larger landscape of adversaries including PANDAs (China-nexus), SILENT CHOLLIMA (North Korea-nexus), CARBON SPIDER, and PROPHET SPIDER. In 2022, Nemesis Kitten was linked to the IRGC-IO via personas by the anti-government group Lab Dookhtegan. Its tactics include ransoming organizations using in-built encryption software like BitLocker full-disk encryption. Four months after the initial breach of Rashim in 2023, Nemesis Kitten demonstrated its infiltration by sending a message from Rashim's internal Office365 infrastructure to the company's clients, colleagues, and partners announcing that it had "full access to Rashim's infrastructure." The Iran-based hacktivists associated with Nemesis Kitten further escalated their activities by uploading videos demonstrating how they were able to delete branches from Rashim's databases. This incident underscores the advanced persistent threat (APT) nature of Nemesis Kitten and its capability to disrupt operations significantly, steal personal information, and hold data hostage for ransom. The emergence and activities of Nemesis Kitten highlight the importance of robust cybersecurity measures to prevent such breaches and mitigate potential damages.