Pioneer Kitten

Threat Actor updated a month ago (2024-11-29T14:02:57.683Z)
Download STIX
Preview STIX
Pioneer Kitten, also known as UNC757, Parisite, Lemon Sandstorm, and Rubidium, is a threat actor believed to be associated with the Government of Iran (GOI) and an Iranian IT company. This group has been tracked by various cybersecurity entities such as CrowdStrike Intelligence and the FBI. Investigations conducted by the FBI in August 2024 further reinforced the connection between Pioneer Kitten and the Iranian government. Pioneer Kitten's operational model is opportunistic, with the entities of most interest being those within technology, government, defense, and healthcare sectors. In 2020, the U.S. Cyber Command’s elite digital corps (CNMF) detected that Pioneer Kitten had gained access to a city's local infrastructure intended for recording the results of the 2020 elections. Following this detection, CISA contacted the impacted jurisdiction and initiated incident response measures. Meanwhile, CNMF executed cyber operations to ensure that Pioneer Kitten no longer had access to the network and could not return to the system. Pioneer Kitten's primary operational characteristic is its reliance on SSH tunneling, employing open-source tools like Ngrok and their custom tool SSHMinion for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP). The group offers full domain control privileges and domain admin credentials to numerous networks worldwide. As of recent reports, Pioneer Kitten continues to target and exploit U.S. and foreign organizations across multiple sectors, leading to increased warnings from federal agencies like CISA, FBI, and the Department of Defense Cyber Crime Center (DC3).
Description last updated: 2024-10-17T12:07:43.193Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
UNC757 is a possible alias for Pioneer Kitten. UNC757, also known as Pioneer Kitten or Parisite, is a threat actor recognized for its malicious activities in the cybersecurity landscape. This group's indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) have been analyzed, leading to the identification of a correlation b
2
Rubidium is a possible alias for Pioneer Kitten.
2
Lemon Sandstorm is a possible alias for Pioneer Kitten. Lemon Sandstorm, also known as Pioneer Kitten, Rubidium, Parasite, and Fox Kitten, is a threat actor group believed to originate from Iran. This group has been involved in executing actions with malicious intent, primarily through ransomware attacks targeting various countries. The group's activitie
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
iranian
Iran
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Pioneer Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
4 months ago
InfoSecurity-magazine
4 months ago
CISA
4 months ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago