G0117: Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
Analyst context for executives and security teams
Fox Kitten is an ATT&CK group entry describing a threat actor with a suspected Iranian government nexus, active since at least 2017, with reported targeting across multiple regions and industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering. The decision value is not the name alone: the mapped behaviors emphasize credential theft, remote access, lateral movement, discovery, collection, web shells, tunneling/proxy tools, and ransomware-linked tooling. For leaders, this makes Fox Kitten a useful planning profile for validating whether identity, remote access, Windows administration, and incident response controls can withstand an intrusion that moves from access to credential compromise and operational disruption.
Executive priority
Prioritize this as a resilience and readiness use case for organizations with exposed remote access, Windows domains, industrial/engineering environments, sensitive file shares, or high business dependence on uninterrupted operations. Executives should ask whether the organization can prove control coverage for credential protection, administrative tool abuse, remote service monitoring, ransomware response, and sensitive data collection paths. Because ATT&CK provides no official detection text for this group object, coverage should be demonstrated through local telemetry, control validation, and incident response exercises rather than assumed from threat intelligence naming.
Technical view
SOC, detection engineering, and IR teams should map Fox Kitten relationships to defensible behaviors: LSASS and NTDS credential access; RDP, SMB/admin shares, SSH, and VNC lateral movement; PowerShell and Windows command shell execution; scheduled task persistence/execution; registry, remote system, and network service discovery; local and network share collection; command/file obfuscation; masqueraded tasks, services, names, or locations; and use of China Chopper, PsExec, ngrok, Pay2Key, and SystemBC. The group object itself has no ATT&CK platforms or tactics specified, but the related techniques and software include Windows prominently, with some Linux, macOS, ESXi, IaaS, network device, container, and identity-provider contexts. Validate detections against the behaviors, not just aliases or tool names.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, PsExec-like activity, schtasks, registry queries, and discovery commands
- Windows security events and EDR telemetry for LSASS access, credential dumping indicators, domain controller access, and NTDS.dit access or copying
- Authentication and session logs for RDP, SMB/admin shares, SSH, and VNC, including unusual source-destination patterns and privileged account use
- File, service, scheduled task, and registry change telemetry to identify masquerading, suspicious persistence, and renamed or misplaced binaries
- Network flow, proxy, DNS, and firewall logs for tunneling/proxy behavior, remote service scanning, web shell access patterns, and unusual outbound connectivity
Detection direction
- Build behavior-based coverage for credential access to LSASS and NTDS rather than relying only on malware signatures.
- Tune remote access detections around unusual use of valid accounts over RDP, SMB/admin shares, SSH, and VNC, while accounting for legitimate administrator activity.
- Monitor legitimate tools with dual-use potential, especially PsExec and ngrok, with context such as user, host role, parent process, destination, time of day, and change ticket evidence.
- Correlate discovery commands, service scans, registry queries, and lateral movement attempts into intrusion progressions instead of alerting only on isolated commands.
- Review scheduled tasks, services, and file locations for masquerading patterns, especially where names resemble legitimate resources but appear in unusual paths or with abnormal creators.
Mitigation priorities
- Reduce exposed and unnecessary remote access paths; require strong authentication and restrict administrative protocols to managed access zones where feasible.
- Harden identity and credential protections, especially privileged accounts, domain controllers, LSASS protections, and access to Active Directory database material and backups.
- Limit and monitor administrative tooling such as PsExec; establish allowlists, approved use cases, and audit trails for remote execution.
- Improve segmentation and access control around file shares, engineering/industrial networks, servers, and high-value data stores to reduce lateral movement and collection opportunities.
- Apply secure configuration and monitoring to scheduled tasks, services, web servers, and remote management services.
Analyst notes and limits
Fox Kitten has multiple aliases in the supplied ATT&CK data: UNC757, Parisite, Pioneer Kitten, RUBIDIUM, and Lemon Sandstorm. The relationship set links the group to both dual-use administration tools and malware/ransomware-related software, which is important for SOC triage because benign-looking remote administration, tunneling, and scripting activity may be part of the same intrusion pattern. Treat the ATT&CK group as a planning and validation profile, not as evidence that any specific organization is targeted or compromised.
The official group object does not specify platforms, tactics, labels, or detection guidance. Platform and tactic discussion here is derived only from the supplied related software and technique relationships. The supplied relationship context is also truncated for some related descriptions, so defenders should consult the official ATT&CK pages and local telemetry before finalizing detections or risk decisions.
Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Fox Kitten has downloaded additional tools including PsExec directly to endpoints.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1059 | Command and Scripting Interpreter | Fox Kitten has used a Perl reverse shell to communicate with C2.CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1530 | Data from Cloud Storage | Fox Kitten has obtained files from the victim's cloud storage instances.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1018 | Remote System Discovery | Fox Kitten has used Angry IP Scanner to detect remote systems.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1110 | Brute Force | Fox Kitten has brute forced RDP credentials.CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1210 | Exploitation of Remote Services | Fox Kitten has exploited known vulnerabilities in remote services including RDP.CitationClearkSky Fox Kitten February 2020CitationCrowdStrike PIONEER KITTEN August 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1136.001 | Local Account Sub-technique | Fox Kitten has created a local user account with administrator privileges.CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Fox Kitten has used 7-Zip to archive data.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Fox Kitten has base64 encoded scripts to avoid detection.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1005 | Data from Local System | Fox Kitten has searched local system resources to access sensitive documents.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1585 | Establish Accounts | Fox Kitten has created KeyBase accounts to communicate with ransomware victims.CitationClearSky Pay2Kitten December 2020CitationCheck Point Pay2Key November 2020 |
| Enterprise | T1021.005 | VNC Sub-technique | Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Fox Kitten has accessed files to gain valid credentials.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1217 | Browser Information Discovery | Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Fox Kitten has used cmd.exe likely as a password changing mechanism.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Fox Kitten has base64 encoded payloads to avoid detection.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1213.005 | Messaging Applications Sub-technique | Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Fox Kitten has used valid accounts to access SMB shares.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1190 | Exploit Public-Facing Application | Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.CitationClearkSky Fox Kitten February 2020CitationDragos PARISITECitationCrowdStrike PIONEER KITTEN August 2020CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Fox Kitten has used scripts to access credential information from the KeePass database.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1003.003 | NTDS Sub-technique | Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1021.004 | SSH Sub-technique | Fox Kitten has used the PuTTY and Plink tools for lateral movement.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Fox Kitten has installed web shells on compromised hosts to maintain access.CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Fox Kitten has used prodump to dump credentials from LSASS.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1090 | Proxy | Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020CitationCheck Point Pay2Key November 2020 |
| Enterprise | T1012 | Query Registry | Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1572 | Protocol Tunneling | Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as ngrok and custom tool SSHMinion.CitationCrowdStrike PIONEER KITTEN August 2020CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Fox Kitten has used RDP to log in and move laterally in the target environment.CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1102 | Web Service | Fox Kitten has used Amazon Web Services to host C2.CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1039 | Data from Network Shared Drive | Fox Kitten has searched network shares to access sensitive documents.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1078 | Valid Accounts | Fox Kitten has used valid credentials with various services during lateral movement.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1046 | Network Service Discovery | Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.CitationCISA AA20-259A Iran-Based Actor September 2020CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | Fox Kitten has used sticky keys to launch a command prompt.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Fox Kitten has used a Twitter account to communicate with ransomware victims.CitationClearSky Pay2Kitten December 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Fox Kitten has used PowerShell scripts to access credential data.CitationCISA AA20-259A Iran-Based Actor September 2020 |
| Enterprise | T1083 | File and Directory Discovery | Fox Kitten has used WizTree to obtain network files and directory listings.CitationCISA AA20-259A Iran-Based Actor September 2020 |
Groups, software, and campaigns
S0020: China Chopper
S0556: Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]
S0508: ngrok
S0029: PsExec
S9001: SystemBC
SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 99cde31d2ff5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearkSky Fox Kitten February 2020
ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
Open source URL -
[2]
CrowdStrike PIONEER KITTEN August 2020
Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.
Open source URL -
[3]
Dragos PARISITE
Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.
Open source URL -
[4]
ClearSky Pay2Kitten December 2020
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
Open source URL -
[5]
CISA AA20-259A Iran-Based Actor September 2020
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
Open source URL -
[6]
Lemon Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[8]
Parisite
(Citation: Dragos PARISITE )(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)
-
[9]
Pioneer Kitten
(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)
-
[10]
RUBIDIUM
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
UNC757
(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)
-
[12]
mitre-attack G0117Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.