Fox Kitten

Pioneer Kitten is an Iran-based threat actor, also tracked as Fox Kitten, Lemon Sandstorm, Rubidium, UNC757, PARISITE, and BR0K3R. The content describes this group as Iranian government-linked or government-aligned, with reporting that it has operated as a contractor supporting Iranian government interests while also pursuing financial gain. It has targeted U.S. organizations since at least 2017, including U.S. federal agencies and organizations in the information technology, government, healthcare, financial, insurance, media, education, and defense sectors, and has also targeted organizations in Israel, Azerbaijan, and the United Arab Emirates. The actor commonly gains initial access by mass-scanning internet-facing systems and exploiting known vulnerabilities in edge infrastructure, including Pulse Secure VPN, Citrix NetScaler, F5 BIG-IP, Check Point, Palo Alto Networks, and Ivanti products. Reported exploited vulnerabilities include CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, CVE-2020-5902, CVE-2024-24919, CVE-2024-3400, CVE-2022-1388, and CVE-2023-3519. The group has used Shodan and tools including Nmap to identify vulnerable devices and open ports. Post-compromise tradecraft in the content includes use of web shells such as ChunkyTuna, Tiny, and China Chopper; persistence via Scheduled Tasks and cron jobs, including a task named lpupdate; reverse proxy and tunneling tools including FRPC, Chisel, and ngrok; and masquerading by naming binaries and configuration files svhost/svchost and dllhost/dllhost.dll. The actor has used cmd.exe, including likely as a password-changing mechanism, sticky keys via sethc.exe, Perl reverse shells for command-and-control, PowerShell scripts to access credential data, and Base64-encoded payloads to evade detection. For discovery and collection, the content states the group used Angry IP Scanner to detect remote systems, WizTree to obtain network file and directory listings, Softerra LDAP Browser to browse documentation on service accounts, Google Chrome bookmarks to identify internal resources and assets, and local system searches to access sensitive documents. It accessed files to gain valid credentials, repeatedly accessed a KeePass database using kee.ps1, accessed the ntuser.dat and UserClass.dat registry hives, and used procdump to dump LSASS memory and Volume Shadow Copy to access NTDS credential data. It also exfiltrated a Kerberos ticket from a NetScaler device to gain access to a domain account. For lateral movement and remote access, the actor used RDP, PsExec, SMB shares, Plink, PuTTY, TightVNC, and likely hijacked legitimate RDP sessions. The content also notes use of RDP to log in and move laterally in victim environments. The group collected data from local systems, network shared drives, Microsoft Teams and other information repositories, and cloud storage instances, and used 7-Zip to archive collected data. The content further states that the actor has sold access to compromised infrastructure on hacker forums and has coordinated with ransomware affiliates including NoEscape, Ransomhouse, and AlphV. U.S. agencies assessed that a significant portion of its operations against U.S. organizations are intended to obtain and develop network access for collaboration with ransomware operators, and attributed the 2020 Pay2Key ransomware operation to the same group. The FBI assessed the actor has the capability and likely intent to deploy ransomware.