Fox Kitten

Threat Actor updated 2 months ago (2024-09-18T09:17:57.828Z)

Download STIX

Preview STIX

Fox Kitten, an Iran-based cyber espionage group active since at least 2017, has been a significant threat actor in the cybersecurity landscape. This group primarily targets VPN devices from Citrix, Fortinet, Palo Alto Networks, and Pulse Secure for initial access into networks. The FBI identified Fox Kitten, also known as Parisite group, as elite hackers for the Iranian government, and they have been detected attacking the US private and government sector since August 2020. Despite their ties to the Iranian government, it is believed that the Fox Kitten actors were likely operating without any explicit approval from their sponsors. The US Cybersecurity and Infrastructure Security Agency (CISA) warned that Fox Kitten, also known as Lemon Sandstorm, had launched ransomware attacks against various countries. Another group, Charming Kitten or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns. Once inside a network, Fox Kitten captures login credentials, deploys Web shells, creates rogue accounts, loads malware, moves laterally, and escalates privileges. They have exploited several vulnerabilities, including CVE-2019-19781 and CVE-2022-1388. Most recently, they targeted CVE-2024-24919, a now-patched zero-day bug in Check Point VPNs. Despite being based in Iran, Fox Kitten actors have engaged with other ransomware actors without disclosing their location or ties to the country. The CISA-FBI advisory identified Fox Kitten as providing operators of ransomware strains such as ALPHV (or BlackCat), Ransomhouse, and NoEscape with initial access to compromised networks in return for a percentage of any collected ransom. In 2021, Microsoft, which tracks Fox Kitten as Rubidum, identified the threat actor as one of six Iranian state-backed groups engaged in a wide range of cyber-enabled information theft, disruption, and destructive activities against US entities. In many instances, Fox Kitten gained access to a victim network via exploits that targeted vulnerabilities in an organization's Internet-facing assets.

Description last updated: 2024-09-18T09:16:34.543Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransom

Vpn

Apt

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The NoEscape Malware is associated with Fox Kitten. NoEscape is a malicious software, or malware, known for its ransomware capabilities. It infiltrates systems often undetected via suspicious downloads, emails, or websites, causing significant harm by stealing personal data, disrupting operations, and holding data hostage for ransom. In October 2023,	Unspecified	2
The Ransomhouse Malware is associated with Fox Kitten. RansomHouse is a malicious software (malware) that has been active since 2021 and describes itself as a “professional mediators community” targeting organizations with lax attitudes towards customer data privacy and security. The malware infects systems through suspicious downloads, emails, or websi	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Fox Kitten. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	2

Source Document References

Information about the Fox Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	As Geopolitical Tensions Mount, Iran's Cyber Operations Grow
Fortinet	3 months ago	Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 \| FortiGuard Labs
DARKReading	3 months ago	Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets
InfoSecurity-magazine	3 months ago	Iranian Hackers Secretly Aid Ransomware Attacks on US
DARKReading	7 months ago	Cisco Warns of Massive Surge in Password Spraying Attacks on VPNs
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CSO Online	a year ago	Federal cyber incidents reveal challenges of implementing US National Cybersecurity Strategy