Fox Kitten (UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm)

Overview

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.

Capabilities

Exploitation of public-facing / client applications — ATT&CK T1190
Custom malware/implant development — ATT&CK: 3 attributed custom malware families

TTPs — 41 techniques across 11 tactics

Persistence

T1136.001 Local Account
T1505.003 Web Shell

Privilege Escalation

T1546.008 Accessibility Features

Stealth

T1027.010 Command Obfuscation
T1027.013 Encrypted/Encoded File
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Resource Name or Location
T1078 Valid Accounts

Credential Access

T1003.001 LSASS Memory
T1003.003 NTDS
T1110 Brute Force
T1552.001 Credentials In Files
T1555.005 Password Managers

Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.004 SSH
T1021.005 VNC
T1210 Exploitation of Remote Services

Collection

Command and Control

Tools & malware (5)

China Chopper · Pay2Key · ngrok · PsExec · SystemBC

Reporting (3)

How Microsoft names threat actors — Microsoft
Pay2Key Ransomware – A New Campaign by Fox Kitten — ClearSky
Iran-Based Threat Actor Exploits VPN Vulnerabilities — CISA