Threat Actor Profile
High APT
Description

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)

Confidence Score
90%
Known Aliases
Fox Kitten UNC757 Parisite Pioneer Kitten RUBIDIUM Lemon Sandstorm
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (41)
T1005 - Data from Local System
Collection
T1039 - Data from Network Shared Drive
Collection
T1213.005 - Messaging Applications
Collection
T1530 - Data from Cloud Storage
Collection
T1560.001 - Archive via Utility
Collection
T1090 - Proxy
Command and Control
T1102 - Web Service
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.003 - NTDS
Credential Access
T1110 - Brute Force
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1555.005 - Password Managers
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1012 - Query Registry
Discovery
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1217 - Browser Information Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1021.005 - VNC
Lateral Movement
T1210 - Exploitation of Remote Services
Lateral Movement
T1136.001 - Local Account
Persistence
T1505.003 - Web Shell
Persistence
T1546.008 - Accessibility Features
Privilege Escalation
T1585 - Establish Accounts
Resource Development
T1585.001 - Social Media Accounts
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Fox Kitten',
             'UNC757',
             'Parisite',
             'Pioneer Kitten',
             'RUBIDIUM',
             'Lemon Sandstorm'],
 'created': '2020-12-21T21:49:47.307Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat '
                'actor with a suspected nexus to the Iranian government that '
                'has been active since at least 2017 against entities in the '
                'Middle East, North Africa, Europe, Australia, and North '
                'America. [Fox Kitten](https://attack.mitre.org/groups/G0117) '
                'has targeted multiple industrial verticals including oil and '
                'gas, technology, government, defense, healthcare, '
                'manufacturing, and engineering.(Citation: ClearkSky Fox '
                'Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN '
                'August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky '
                'Pay2Kitten December 2020)',
 'external_references': [{'external_id': 'G0117',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0117'},
                         {'description': '(Citation: CISA AA20-259A Iran-Based '
                                         'Actor September 2020)(Citation: '
                                         'CrowdStrike PIONEER KITTEN August '
                                         '2020)',
                          'source_name': 'UNC757'},
                         {'description': '(Citation: CrowdStrike PIONEER '
                                         'KITTEN August 2020)(Citation: CISA '
                                         'AA20-259A Iran-Based Actor September '
                                         '2020)',
                          'source_name': 'Pioneer Kitten'},
                         {'description': '(Citation: Dragos PARISITE '
                                         ')(Citation: ClearkSky Fox Kitten '
                                         'February 2020)(Citation: CrowdStrike '
                                         'PIONEER KITTEN August 2020)',
                          'source_name': 'Parisite'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'RUBIDIUM'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Lemon Sandstorm'},
                         {'description': 'CISA. (2020, September 15). '
                                         'Iran-Based Threat Actor Exploits VPN '
                                         'Vulnerabilities. Retrieved December '
                                         '21, 2020.',
                          'source_name': 'CISA AA20-259A Iran-Based Actor '
                                         'September 2020',
                          'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-259a'},
                         {'description': 'ClearSky. (2020, December 17). '
                                         'Pay2Key Ransomware – A New Campaign '
                                         'by Fox Kitten. Retrieved December '
                                         '21, 2020.',
                          'source_name': 'ClearSky Pay2Kitten December 2020',
                          'url': 'https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf'},
                         {'description': 'ClearSky. (2020, February 16). Fox '
                                         'Kitten – Widespread Iranian '
                                         'Espionage-Offensive Campaign. '
                                         'Retrieved December 21, 2020.',
                          'source_name': 'ClearkSky Fox Kitten February 2020',
                          'url': 'https://www.clearskysec.com/fox-kitten/'},
                         {'description': 'Dragos. (n.d.). PARISITE. Retrieved '
                                         'December 21, 2020.',
                          'source_name': 'Dragos PARISITE ',
                          'url': 'https://www.dragos.com/threat/parisite/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Orleans, A. (2020, August 31). Who '
                                         'Is PIONEER KITTEN?. Retrieved '
                                         'December 21, 2020.',
                          'source_name': 'CrowdStrike PIONEER KITTEN August '
                                         '2020',
                          'url': 'https://www.crowdstrike.com/blog/who-is-pioneer-kitten/'}],
 'id': 'intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee',
 'modified': '2024-01-08T22:00:34.410Z',
 'name': 'Fox Kitten',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (41)
Data from Local System
Collection
Data from Network Shared Drive
Collection
Messaging Applications
Collection
Data from Cloud Storage
Collection
Archive via Utility
Collection
View All 41 TTPs
Back to Threat Actors
Dashboard Home