Fox Kitten

Fox Kitten is an Iranian threat actor tracked under aliases including Pioneer Kitten, Rubidium, Lemon Sandstorm, UNC757, Br0k3r, and Parisite. The content describes this group as Iranian actors that have targeted U.S. organizations since 2017, including U.S. federal agencies and organizations in the information technology, government, healthcare, financial, insurance, media, education, and defense sectors. Additional reporting in the content states the group has also targeted organizations in Israel, Azerbaijan, and the United Arab Emirates, and has been linked by U.S. agencies to Iranian government interests while also pursuing financial gain. The content further states the actors have coordinated with ransomware affiliates including NoEscape, Ransomhouse, and AlphV, and were attributed to the 2020 Pay2Key ransomware operation. According to the content, Fox Kitten commonly gains initial access by mass-scanning internet-facing systems and exploiting known vulnerabilities in products including Pulse Secure VPN, Citrix NetScaler, F5 BIG-IP, Check Point, Palo Alto Networks, and Ivanti. Reported exploited vulnerabilities include CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, CVE-2020-5902, CVE-2024-24919, CVE-2024-3400, CVE-2022-1388, and CVE-2023-3519. The group has used Nmap and Shodan to identify vulnerable systems and open ports. Post-compromise, the content states Fox Kitten obtained administrator-level credentials, installed web shells including ChunkyTuna, Tiny, and China Chopper, and maintained persistence for months. Persistence and defense evasion tradecraft described in the content includes Scheduled Tasks and cron jobs, use of a task named lpupdate, use of cmd.exe likely as a password-changing mechanism, use of sticky keys via sethc.exe, base64-encoded payloads, and masquerading FRPC-related files as svhost/svchost and dllhost or dllhost.dll. The group used a Perl reverse shell for command-and-control and used FRPC, Chisel, and ngrok for tunneling and remote access. The content attributes broad discovery, credential access, and collection activity to Fox Kitten. This includes use of Angry IP Scanner to detect remote systems; Nmap for broad scanning and open-port identification; Google Chrome bookmarks to identify internal resources and assets; access to local system resources and sensitive documents; access to files to gain valid credentials; use of PowerShell scripts to access credential data; repeated access to a KeePass database via kee.ps1; access to the ntuser.dat and UserClass.dat registry hives; and use of RDP for login and lateral movement. The content also states the group moved laterally using PsExec, SMB shares, Plink, PuTTY, TightVNC, and likely hijacked legitimate RDP sessions. For collection and likely exfiltration, the group gathered data from local systems, network shared drives, Microsoft Teams, and cloud storage, and used 7-Zip to archive collected data. The content also states the group has sold access to compromised infrastructure on hacker forums and has used victim cloud resources as cover to launch additional attacks.