Fox Kitten: An Iranian Hybrid Threat Actor
- Suspected Origin
- Iran
- Motivation
- Espionage, Financial Gain, Disruption
- Aliases
- UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm
- Target Sectors
- Oil and Gas, Technology, Government, Defense, Healthcare, Manufacturing, Engineering, Finance, Education, Telecommunications, Critical Infrastructure
- Associated Malware
- HanifNet, HXLibrary, NeoExpressRAT, PickPocket, STSRAT, ASPXShell, China Chopper, POWSSHNET, VBScript, STSRCheck, custom web shells
Overview
Fox Kitten (G0117), also known by aliases such as UNC757, Parisite, Pioneer Kitten, RUBIDIUM, and Lemon Sandstorm, is a persistent and dangerous threat actor with a strong suspected nexus to the Iranian government, specifically the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, this group has evolved into a dual-purpose entity, simultaneously conducting cyber espionage operations for Iranian state intelligence and acting as an initial access broker for various ransomware affiliates. This hybrid model makes them particularly potent, allowing them to profit from their intrusions regardless of specific government tasking.
Fox Kitten’s operations span a broad geographic range, targeting organizations across the Middle East (including Israel, Azerbaijan, and the UAE), North Africa, Europe, Australia, and North America, with a significant focus on the United States. Their victimology is diverse, encompassing critical industrial verticals such as oil and gas, technology, government (including municipal and local entities), defense, healthcare, manufacturing, engineering, finance, education, and telecommunications. While their primary objective is to gain and maintain persistent access for intelligence gathering, they also preposition for potential disruptive or destructive cyber operations and monetize their access by selling it to ransomware groups.
Tactics & Techniques
Fox Kitten’s initial access strategy consistently revolves around exploiting publicly exposed network appliances, particularly VPN concentrators, firewalls, and remote access gateways. They rapidly weaponize newly disclosed vulnerabilities (often referred to as 1-day exploits) in products from vendors like Citrix, Pulse Secure, Fortinet, Palo Alto Networks, F5, and Check Point, often within hours of public disclosure. This proactive exploitation of known CVEs, rather than relying on zero-days, highlights their operational discipline.
Upon gaining a foothold, Fox Kitten employs systematic reconnaissance using tools like Shodan to identify vulnerable internet-facing devices and Nmap or Angry IP Scanner for internal network discovery. For lateral movement and persistence, they heavily leverage stolen credentials and Remote Desktop Protocol (RDP) exploitation. They also utilize legitimate tools like PuTTY, Plink, and TightVNC for lateral movement and remote access. Persistence is often maintained through web shells deployed on compromised devices, sometimes creating multiple as a contingency to retain access even if the initial vulnerability is patched. They also establish local administrator accounts with innocuous-sounding names (e.g., “sqladmin$”, “IIS_Admin”) and use scheduled tasks for backdoor execution.
Credential theft is a critical component of their operations. Fox Kitten uses PowerShell scripts to harvest credentials from Windows credential stores and targets KeePass databases. On compromised NetScaler devices, they are known to capture login credentials directly from the authentication flow, saving them to files on the device. For command and control (C2), they frequently employ open-source reverse proxy and tunneling tools like ngrok, FRPC, Glider Proxy, ReverseSocks5, and Chisel to establish outbound tunnels and blend traffic. They have also used a custom tool called SSHMinion for encrypted communication and have been observed hosting C2 infrastructure on Amazon Web Services. To evade detection, they base64 encode scripts and payloads.
Notable Campaigns
Fox Kitten has been linked to several significant campaigns and incidents:
- VPN Mass Exploitation Campaign (2019-2020): ClearSky documented a widespread campaign where Fox Kitten extensively exploited unpatched Pulse Secure, Citrix, and Fortinet VPN appliances. These intrusions established long-term footholds in government, defense, and critical infrastructure organizations, particularly in the Middle East.
- Pay2Key Ransomware Campaign (Late 2020): This campaign specifically targeted Israeli companies, where Fox Kitten collaborated with ransomware operators. They were involved in encrypting victim data and using .onion sites and platforms like Keybase and Twitter for victim communication, demonstrating a degree of operational security.
- Sustained US Infrastructure Targeting (2017–2024): Fox Kitten has consistently targeted US organizations, including schools, municipal governments, financial institutions, and healthcare facilities. A joint advisory from CISA, FBI, and DC3 in August 2024 confirmed their ongoing exploitation of US entities, often facilitating ransomware attacks.
- Multi-Year Critical Infrastructure Intrusion in the Middle East (May 2023 – February 2025): FortiGuard Labs’ Incident Response team documented a nearly two-year-long operation against critical national infrastructure in the Middle East. Fox Kitten used recent vulnerabilities like CVE-2024-24919 and deployed multiple malware families for persistence and extensive espionage, indicating pre-positioning for potential disruptive attacks.
Associated Malware & Tools
Fox Kitten employs a combination of readily available open-source tools, legitimate software, and custom-developed malware:
- Custom Malware:
- HanifNet, HXLibrary, NeoExpressRAT: Observed in the multi-year critical infrastructure intrusion.
- PickPocket, STSRAT: Custom backdoors.
- ASPXShell, China Chopper: Web shells.
- POWSSHNET: A self-developed backdoor for RDP over SSH tunneling.
- VBScript: Used to download and unify TXT files into executables.
- STSRCheck, Port.exe: Self-developed tools for database/open port mapping and scanning.
- Off-the-shelf and Living-off-the-Land Tools:
- Credential Dumping: Mimikatz, Procdump, Juicy Potato. They also use PowerShell for credential harvesting.
- Network Scanning/Discovery: Nmap, Angry IP Scanner, WizTree (for file/directory enumeration), Softerra LDAP browser (for Active Directory enumeration).
- Remote Access & Lateral Movement: RDP, SMB/Windows Admin Shares, SSH (via PuTTY, Plink), TightVNC (server and client), PsExec, TeamViewer. They have also installed AnyDesk as a backup access method.
- Tunneling/Proxy Tools: ngrok, FRPC (Fast Reverse Proxy), Go Proxy, Glider Proxy, ReverseSocks5, Chisel, Ligolo, MeshCentral, Serveo.
- Other: Windows Command Shell (cmd.exe), PowerShell, Perl reverse shell, Volume Shadow Copy.
Current Status
Fox Kitten remains an Active and evolving threat actor, demonstrating high operational tempo as of mid-2026. Recent reports, including joint advisories from CISA, FBI, and DC3 in August 2024, confirm their continued exploitation of organizations, particularly in the U.S. and the Middle East. They have rebranded themselves on underground forums, moving from “Br0k3r” to “xplfinder” as of 2024, indicating continued cybercriminal activity alongside state-sponsored operations.
Their focus on rapidly weaponizing newly disclosed vulnerabilities in internet-facing devices (e.g., Check Point Security Gateway CVE-2024-24919, Palo Alto PAN-OS CVE-2024-3400, Ivanti/Pulse Secure VPN CVE-2024-21887, Citrix NetScaler ADC/Gateway CVE-2023-3519) demonstrates their agility and ongoing threat. They are also actively observed scanning for these vulnerabilities. The group’s dual motivation, combining espionage for the Iranian government with the lucrative business of selling initial access to ransomware affiliates (including groups like NoEscape, Ransomhouse, and ALPHV/BlackCat), ensures their sustained activity and high threat level. Their involvement with ransomware operations is not limited to brokering access; they actively strategize with affiliates on victim extortion. Organizations, especially those in targeted sectors with unpatched perimeter devices, should consider Fox Kitten a critical and persistent risk.
Related content
OilRig (G0049) - Iran's Persistent Cyber Espionage Arm
Adversary ProfileLeviathan (APT40): China's Persistent Maritime Espionage Group
Adversary ProfileGALLIUM: Persistent Chinese Cyberespionage Targeting Global Critical Infrastructure
Adversary ProfileHAFNIUM (G0125): A Profile of China's Elite Cyber Espionage Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call