Threat ActorFox Kitten
Description
Fox Kitten is a suspected threat actor operating out of Iran. Fox Kitten has been observed targeting the Financial, Government, Healthcare, Information Technology, and Insurance verticals leveraging many known open-source tools. Fox Kitten has been observed to exploit known vulnerabilities to further their operations. Fox Kitten has significantly evolved its operations to act as an initial access broker for ransomware actors.
FortiGuard Labs' Incident Response team was called in to investigate a muti-year intrusion which was active from May 2023 to February 2025 and targeted critical national infrastructure in the Middle East. The team attributed this attack to Fox Kitten, finding that the threat actor deployed multiple malware such as Hanifnet, HXLibrary, and customer web shells to maintain persistence and conduct extensive espionage.
On March 2 2026, Operation Epic Fury a joint coordinated strike on Iran conducted by the United States and Israel commenced. We are monitoring for developments and will update the Threat Actor profile with rolling updates.
Added to Known Tools Used Section:
ChunkyTuna,Tiny web shell,Chisel,FRPC,MeshCentral,Nmap,Angry IP Scanner,WinRAR
Aliases
- xplfinder
- Parisite
- Pioneer Kitten
- Lemon Sandstorm
- RUBIDIUM
- Br0k3r
- UNC757
Common Vulnerabilities and Exposures
Targeted Industries
- Financial
- Government
- Healthcare
- Information Technology
- Insurance
Objectives
Espionage
Known Tools Used
- 7-zip
- AnyDesk
- Angry IP Scanner
- ChunkyTuna
- ChinaChopper
- Chisel
- CredInterceptor
- FRPC
- glider proxy
- Go Proxy
- HanifNet
- HXLibrary
- Invoke the Hash
- JuicyPotato
- MeshCentral
- NeoExpressRAT
- ngrok
- Nmap
- Pay2Key
- Plink
- Port.exe
- PowerShell
- POWSSHNET
- PsExec
- PuTTY
- RemoteInjector
- ReverseSocks5
- Serveo
- Socket-based backdoor
- Softerra LDAP Browser
- SSHMinion
- STSRCheck
- SystemBC
- TightVNC
- Tiny web shell
- VBScript
- WinRAR
- WizTree
Known Infection Vectors
- CVE-2018-13379 (FortiOS SSL VPN Web Portal Pathname Information Disclosure Vulnerability)
- CVE-2018-1579
- CVE-2019-11510 (Arbitrary File Read Vulnerability in Pulse Connect Secure VPN)
- CVE-2019-11539 (Command Injection Vulnerability in Pulse Connect Secure)
- CVE-2019-19781 (Arbitrary Code Execution Vulnerability in Citrix Application Delivery Controller and Gateway)
- CVE-2020-5902 (Remote Code Execution Vulnerability in F5 BIG-IP)
- CVE-2022-1388 (F5 BIG-IP Missing Authentication Vulnerability)
- CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability)
- CVE-2023-38950 (ZKTeco BioTime Path Traversal Vulnerability)
- CVE-2023-38951
- CVE-2023-38952
- CVE-2024-21887 (Ivanti Connect Secure and Policy Secure Command Injection Vulnerability)
- CVE-2024-24919 (Check Point Quantum Security Gateways Information Disclosure Vulnerability)
- CVE-2024-3400 (Palo Alto Networks PAN-OS Command Injection Vulnerability)
References
FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure (Fortinet)
https://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure
Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure (Fortinet)
https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations (CISA)
https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf
Fox Kitten (MITRE)
https://attack.mitre.org/groups/G0117/
