ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Parisite, Fox Kitten, Pioneer Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Parisite, Fox Kitten, Pioneer Kitten

NamesParisite (Dragos)
Fox Kitten (ClearSky)
Pioneer Kitten (Crowdstrike)
Cobalt Foxglove (SecureWorks)
Rubidium (Microsoft)
UNC757 (?)
Lemon Sandstorm (Microsoft)
CountryIran Iran
MotivationInformation theft and espionage
First seen2017
Description“This group has operated since at least 2017 based on infrastructure Dragos identified,” the report explained. “Parisite serves as the initial access group and enables further operations for APT 33, Elfin, Magnallium.”

(ClearSky) During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Though the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT,Telecommunication,Oil and Gas, Aviation, Government, and Security sectors around the world.

During our analysis, we have found an overlap, with medium-high probability, between this campaign’s infrastructure and the activity of an Iranian offensive group OilRig, APT 34, Helix Kitten, Chrysene. Additionally, we have identified, with medium probability, a connection between this campaign and the APT 33, Elfin, Magnallium and Chafer, APT 39 groups.The campaign was first revealed by Dragos, named “Parisite”and attributed to APT33; we call the comprehensive campaign revealed in this report “Fox Kitten”.

The initial breach of the targeted organizations was performed, in most cases, by exploiting 1-day vulnerabilities in different VPN services such as: Pulse Secure VPN, Fortinet VPN, and Global Protect by Palo Alto Networks. Upon gaining foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets. At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization.The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.
ObservedSectors: Aviation, Chemical, Energy, Defense, Engineering, Financial, Government, Healthcare, IT, Media, Manufacturing, Oil and gas, Retail, Telecommunications.
Countries: Australia, Austria, Finland, France, Germany, Hungary, Israel, Italy, Kuwait, Lebanon, Malaysia, Poland, Saudi Arabia, UAE, USA.
Tools usedFRP, Invoke the Hash, JuicyPotato, Ngrok, Pay2Key, Port.exe, POWSSHNET, Plink, PuTTY, Serveo, SSHMinion, STSRCheck.
Operations performedLate 2019“Fox Kitten” Campaign
Jul 2020In late July 2020, an actor assessed to be associated with PIONEER KITTEN was identified as advertising to sell access to compromised networks on an underground forum.
Sep 2020This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities.
Nov 2020Pay2Kitten – Fox Kitten 2

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]