Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

Yes human, keep petting me in hopes that I never turn on you.
Photo by Anna Alexes, please support by following @pexel.com

They are not Cats in a Hat and the eggs they offer will scramble your ham. If these cats come knocking at your door it’s not a good thing. Charming Kitten has employed a malicious tactic which is causing some major issues. We’re going to look at the attack, who is using it, the functionality and effects upon its release, and what are some ways to keep safe from these kittens dropping a plate at your doorstep.

That’s right kitty, you’re about to be exposed.
Photo by Cong H, please support by following @pexel.com

The Attack

Knocking on your door, what is this attack? Look no further than what’s being called “NokNok”. This is a backdoor type of malware, kind of like a trojan, that is targeting macOS (Mac Operating Systems).

Window users don’t let your hair down, you’re on the menu too. Like with trojans, once it’s in, it creates a backdoor for later entry and the victim won’t have a clue until it’s too late.

Jenny: Honey, the script said hackers, we can still trust the cat.
Brad: I still think we should get rid of it just in case.
Photo by Vlada Karpovich, please support by following @pexel.com

Who Can It Be Now

Now don’t let the name Charming Kitten fool you, there’s nothing cute about these cats. They are an Iranian government cyberwarfare group classified as an advanced persisting threat (APT) and have gone by other names such as APT35, Phosphorus, Ajax Security, and NewsBeef.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

Things getting out of hand tend to take off.
Photo by SpaceX, please support by following @pexel.com

That Sinking Feeling

In this cyber-espionage comes the war you never wanted. Their targets include circles of US foreign affairs and nuclear security. Their attacks involve email phishing attempts, which could be considered whale phishing, to a nuclear security expert at the U.S.-based think tank, focused on foreign affairs to deliver a troublesome link to a Google script macro that would redirect to a Dropbox URL (Uniform Resource Locator) housing a RAR (Roshal Archive) archive.

Once presented with this file, an LNK dropper sets off a multi-stage process to deploy GorjolEcho, in turn, shows a decoy of a PDF document while awaiting the payload from a remote server. If it recognizes that it is in an Apple or MacOS, it will tweak its operation by sending a second email with a ZIP archive storing a Mach-O binary that masks as a VPN (Virtual Private Network) application. In truth, this would be an AppleScript to contact the remote server to download the payload to run the Bash script for the backdoor calling NokNok.

NokNok then retrieves modules that are able to gather information as to the running process, installed applications, and metadata from the system. The threat actor uses a fake file-sharing website which likely functions as a footprint for visitors and tracks new victims.

Out of all this, just know once it’s in it begins to collect information on the machine and user or users in secret.

Looks like that time for some awareness training.
Photo by cottonbro studio, please support by following @pexel.com

The Prevention

Charming Kitten has a high degree of adaptability because it can target both MacOS and Windows. It is strongly recommended when going through emails that caution is exercised.

Emails with attachments or links could be infectious which could put your machine at risk. Never download from untrusted or unknown sources as this could house malicious malware.

Always use and keep up to date with the anti-virus software as this will alert you to any danger on your machine. Frequent scanning of your computer should help safeguard you from experiencing a NokNok at your door.

I have a malware package from “We are Cats-To-Go.”
Photo by Pavel Danilyuk, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on NokNok? Script a comment below.

Discover more from Scriptingthewhy.com

Subscribe to get the latest posts sent to your email.

Unknown's avatar

Published by EchelonVigil

EchelonVigil—a storyteller, strategist, and relentless believer in the power of transformation. Through Scriptingthewhy, I explore what it means to lead with clarity, create with purpose, and show up authentically in every space I touch. My journey isn’t just about tech—it’s about influence. I’ve helped creators, collaborators, and communities unlock their voice, refine their vision, and build systems that reflect who they truly are. Whether I’m shaping a brand, mentoring a team, or crafting content that resonates, my goal is simple: elevate others to become the sharpest, boldest version of themselves. I lead with empathy, challenge with intention, and build with soul. If you’re here to grow, disrupt, or redefine your lane—you’re in the right place.

Leave a comment