Home/ Threat Actors/ Fox Kitten

🌐Fox Kitten

🌐 Fox Kitten is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 41 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0117) ↗

14Use cases

0Articles

41Techniques

0IOCs

About this actor (MITRE)

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten Dece

Known aliases

Fox KittenUNC757ParisitePioneer KittenRUBIDIUMLemon Sandstorm

Top techniques

T1003.001 · LSASS Memory T1003.003 · NTDS T1005 · Data from Local System

All other tracked techniques

T1012 · Query Registry T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1021.004 · SSH T1021.005 · VNC T1027.010 · Command Obfuscation T1027.013 · Encrypted/Encoded File T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1039 · Data from Network Shared Drive T1046 · Network Service Discovery T1053.005 · Scheduled Task T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1078 · Valid Accounts T1083 · File and Directory Discovery T1087.001 · Local Account T1087.002 · Domain Account T1090 · Proxy T1102 · Web Service T1105 · Ingress Tool Transfer T1110 · Brute Force T1136.001 · Local Account T1190 · Exploit Public-Facing Application T1210 · Exploitation of Remote Services T1213.005 · Messaging Applications T1217 · Browser Information Discovery T1505.003 · Web Shell T1530 · Data from Cloud Storage T1546.008 · Accessibility Features T1552.001 · Credentials In Files T1555.005 · Password Managers T1560.001 · Archive via Utility T1572 · Protocol Tunneling T1585 · Establish Accounts T1585.001 · Social Media Accounts

Detection use cases (14)

Fox Kitten / Pioneer Kitten reverse-tunnel tool execution (ngrok, FRP, plink, chisel) post edge-appliance compromise AI · profile SΣ Fox Kitten domain database (NTDS.dit) extraction via ntdsutil IFM / vssadmin shadow copy on a Domain Controller AI · profile S 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match