Dark Web Profile: Fox Kitten

Fox Kitten stands out among Iranian Advanced Persistent Threat (APT) groups for operating on two tracks simultaneously: collecting intelligence for the Iranian regime while brokering network access to ransomware affiliates for profit. That dual mission, combined with a persistent focus on exploiting internet-facing VPN and firewall devices, makes Fox Kitten one of the most disruptive and financially dangerous government-backed groups.

Who Is Fox Kitten?

Fox Kitten is a state-sponsored Iranian threat actor active since at least 2017, targeting organizations across the Middle East, North Africa, Europe, Australia, and North America. The group is tracked under multiple aliases, including Pioneer Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. On underground forums, the actors identify themselves as Br0k3r, and as of 2024 have operated under the handle xplfinder.

Fox Kitten is widely assessed to operate in direct alignment with Iranian state intelligence objectives, specifically the Islamic Revolutionary Guard Corps (IRGC), while running a parallel commercial operation selling network access to ransomware affiliates. The same intrusion infrastructure used for government-directed espionage is monetized through criminal partnerships, making this hybrid model one of the group’s most defining characteristics.

FBI analysis confirms Iranian state sponsorship. In 2024, a joint advisory from CISA, the FBI, and DC3 formally identified Fox Kitten as facilitating ransomware operations against U.S. organizations, providing initial access and domain-level credentials to ransomware affiliates in exchange for a cut of ransom proceeds.

What Are Fox Kitten’s Targets?

Fox Kitten targets organizations across a broad range of sectors including oil and gas, technology, government, defense, healthcare, manufacturing, engineering, finance, education, and telecommunications. The group has also been observed targeting local government entities.

Geographically, operations concentrate on the United States, Israel, Azerbaijan, and the United Arab Emirates, with additional activity across the broader Middle East and North Africa. Documented U.S. victims include schools, municipal governments, financial institutions, and healthcare facilities.

A key distinguishing pattern is Fox Kitten’s focus on unpatched internet-facing perimeter devices, specifically VPN concentrators, firewalls, and remote access gateways, rather than vertical-specific targeting. Any organization with exposed and vulnerable edge infrastructure is a potential target, regardless of sector.

What Are Fox Kitten’s Techniques?

Fox Kitten’s playbook is built around rapid exploitation of known CVEs in perimeter devices, followed by systematic credential theft, tunneling-based persistence, and extended dwell operations. The group combines open-source tooling with custom malware to maintain access and avoid detection.

Initial Access

Fox Kitten’s primary and most consistent initial access method is exploiting public-facing network appliances. The group has demonstrated a pattern of rapidly weaponizing newly disclosed CVEs in widely deployed VPN and firewall products:

• CVE-2019-11510 — Pulse Secure VPN arbitrary file read
• CVE-2019-19781 — Citrix ADC/Gateway directory traversal
• CVE-2020-5902 — F5 BIG-IP remote code execution
• CVE-2022-1388 — F5 BIG-IP authentication bypass
• CVE-2023-3519 — Citrix NetScaler ADC/Gateway code injection
• CVE-2024-3400 — Palo Alto PAN-OS command injection (zero-day)
• CVE-2024-24919 — Check Point Security Gateway information disclosure

The group also exploits Remote Desktop Protocol (RDP) vulnerabilities and uses brute force against RDP credentials as a secondary access path.

Execution

Once inside, Fox Kitten uses a mix of native Windows tooling and custom scripts. PowerShell is used extensively for credential access and payload staging. Windows Command Shell (cmd.exe) has been observed for account manipulation tasks. The group also deploys a Perl reverse shell for C2 communication in some intrusions, and uses PsExec for remote command execution across the network.

Persistence

Fox Kitten invests heavily in multiple persistence mechanisms to survive reboots and blue team response:

• Web shells (including China Chopper and custom variants such as ChunkyTuna and Tiny web shell) deployed on compromised servers
• Scheduled Tasks named to masquerade as legitimate system tasks (e.g., lpupdate) to maintain reverse proxy binaries
• Local administrator accounts created with elevated privileges for long-term access
• Sticky Keys abuse (T1546.008) — replacing accessibility executables to launch a command prompt at the login screen

In more recent intrusions (2023–2025), Fox Kitten deployed custom backdoors including HanifNet (an unsigned .NET executable retrieving commands from attacker-controlled C2) and HXLibrary (a malicious IIS module for persistent server-side access), as well as NeoExpressRAT for post-compromise remote control.

Credential Access and Privilege Expansion

Credential theft is central to Fox Kitten’s post-compromise operations. The group uses prodump (a renamed variant of ProcDump) to dump credentials from LSASS memory, and leverages Volume Shadow Copy to extract NTDS.dit for offline Active Directory credential harvesting. Fox Kitten has also been observed reading KeePass databases using targeted scripts, and accessing ntuser.dat and UserClass.dat registry hives to recover stored credentials. Browser credentials and cloud storage tokens are also targeted.

Discovery and Lateral Movement

After gaining a foothold, Fox Kitten performs methodical reconnaissance using open-source tools: Nmap and Angry IP Scanner for network discovery, WizTree for file and directory enumeration, and the Softerra LDAP browser to enumerate Active Directory service accounts. The group also reads Chrome browser bookmarks to identify internal resources and assets not visible from the perimeter.

Lateral movement relies heavily on RDP (with valid stolen credentials), SMB/Windows Admin Shares, SSH (via PuTTY and Plink), and VNC (TightVNC server and client deployed on endpoints). PsExec is used for remote service execution across compromised hosts.

Command and Control

Fox Kitten’s C2 infrastructure is built around tunneling and proxying to blend into normal traffic and circumvent network controls. The group uses open-source reverse proxy tools — FRPC (Fast Reverse Proxy), ngrok, Glider Proxy, and ReverseSocks5 — to establish outbound tunnels from victim environments. A custom tool, SSHMinion, has also been attributed to the group for encrypted tunneled communication.

Amazon Web Services has been observed as C2 hosting infrastructure, with the group deliberately using legitimate cloud services to hide command traffic. KeyBase and Twitter accounts have also been used for victim communication in ransomware contexts.

Collection and Exfiltration

Fox Kitten targets credentials, internal documents, email archives, cloud storage contents, and Microsoft Teams messages. Data from network shares, cloud storage instances, and local system files is gathered and staged using 7-Zip for compression prior to exfiltration. The group accesses Microsoft Teams to mine communications for internal intelligence and lateral escalation opportunities.

Defense Evasion

Fox Kitten applies several evasion layers: Base64 encoding of scripts and payloads, masquerading of binaries and configuration files as legitimate processes (e.g., naming binaries svhost and config files dllhost), and naming scheduled tasks after legitimate system components. The group also performs timestomping via China Chopper to alter file metadata and blend artifacts with existing system files.

What Are the Campaigns Related to Fox Kitten?

Multi-Year Critical Infrastructure Intrusion in the Middle East (May 2023 – February 2025)

FortiGuard Labs’ Incident Response team documented a sustained Fox Kitten operation against critical national infrastructure in the Middle East that persisted for nearly two years. The attackers used CVE-2024-24919 (Check Point vulnerability) for initial access, deployed HanifNet, HXLibrary, and NeoExpressRAT for persistent backdoor access, and used open-source proxy tools including Chisel, FRPC, and MeshCentral to maintain tunneled C2 communications. The intrusion combined deep espionage objectives with capability pre-positioning.

CISA Advisory AA24-241A: Ransomware Facilitation Campaign (August 2024)

A joint advisory from CISA, the FBI, and DC3 formally attributed Fox Kitten (operating as “Br0k3r” / “xplfinder”) with actively providing network access to ransomware affiliate groups. The advisory described direct collaboration with NoEscape, Ransomhouse, and ALPHV (BlackCat) affiliates, where Fox Kitten provided full domain admin credentials to compromised networks in exchange for a cut of ransom payments. The group’s involvement went beyond access brokering: they actively strategized with ransomware operators on victim extortion approaches. Targets included U.S. schools, municipalities, financial institutions, and healthcare providers.

Pay2Key Ransomware Campaign Against Israeli Organizations (November–December 2020)

ClearSky and Check Point documented a targeted ransomware campaign in which Fox Kitten deployed the custom Pay2Key ransomware against Israeli companies. The campaign used FRPC-based internal proxy chains to route ransomware traffic through a single internet-connected pivot, minimizing the group’s external network footprint. Victims were directed to KeyBase and Twitter accounts for ransom negotiation — an unconventional communications channel that became a signature of this operation.

VPN Mass Exploitation Campaign (2019–2020)

ClearSky’s original Fox Kitten disclosure documented a broad exploitation campaign targeting unpatched Pulse Secure, Citrix, and Fortinet VPN appliances at scale. Fox Kitten was among the first threat actors to operationalize several of these CVEs in the wild, with the intrusions used to establish long-term footholds across government, defense, and critical infrastructure organizations in the Middle East and beyond.

What Are the Mitigation Tactics Against Fox Kitten?

Fox Kitten’s consistent entry point is unpatched internet-facing infrastructure. Defenses should prioritize closing that window first, then focus on detecting the tunneling and credential theft behavior that follows.

• Patch perimeter devices immediately: Prioritize VPN concentrators, firewalls, and remote access gateways. Fox Kitten weaponizes newly disclosed CVEs rapidly — treat any unpatched edge device as actively exploited.
• Audit and monitor web shell presence: Regularly scan internet-facing servers for unexpected ASPX/PHP files and IIS module changes. HXLibrary-style IIS module implants are particularly difficult to detect without active hunting.
• Detect tunneling tools: Alert on the presence or execution of ngrok, FRPC, Chisel, Plink, and ReverseSocks5. These tools have limited legitimate administrative use and their presence in an environment is a high-confidence indicator.
• Protect credentials end-to-end: Monitor for LSASS access attempts, Volume Shadow Copy invocations (especially followed by NTDS reads), and access to KeePass databases. Enforce phishing-resistant MFA on all remote access paths.
• Monitor RDP and lateral movement: Alert on abnormal RDP logins, TightVNC installation, and PsExec/SMB lateral tool transfer. Fox Kitten relies heavily on these channels post-compromise.
• Hunt for persistence mechanisms: Review Scheduled Tasks for tasks pointing to non-standard binaries, check for unexpected local administrator accounts, and monitor Accessibility feature binary replacements (e.g., sethc.exe, utilman.exe).
• Restrict and monitor cloud service usage: Alert on unusual outbound connections to AWS, ngrok endpoints, and other cloud relay services that could indicate tunneled C2 communication.
• Apply network segmentation: Fox Kitten builds internal proxy chains to route traffic; segmentation limits how far they can pivot and forces more detectable network patterns.

How Can SOCRadar Help?

SOCRadar provides the visibility needed to detect Fox Kitten precursors and active intrusion signals across open, deep, and dark web sources:

• Free Dark Web Report (SOCRadar Labs): Checks whether your organization’s domains, credentials, or assets appear in the leak ecosystems Fox Kitten’s ransomware partners use to monetize stolen access.
• Dark Web Monitoring: Alerts on leaked credentials, internal document exposure, and underground forum mentions that could enable account takeover or targeted intrusion.
• Threat Intelligence: Provides Fox Kitten-specific IOCs, infrastructure patterns, and TTP context to enrich SIEM detections and prioritize patching against exploited CVEs.
• Attack Surface Management: Continuously inventories internet-facing assets and identifies unpatched or exposed services that match Fox Kitten’s targeting profile — specifically VPN and remote access infrastructure.
• Digital Risk Protection: Monitors for impersonation infrastructure and phishing domains that could support credential harvesting operations targeting your organization.

What Are the MITRE ATT&CK TTPs of Fox Kitten?