3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Pioneer Kitten

Pioneer Kitten

ID: 2c33573ab7ab103797e1526dc0ee21e320330
Cybercrime State-Sponsored
Threat types: Intrusion, Exploitation, Espionage
Iran
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone:
Aliases Limited alias preview
Fox Kitten
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering. Ref: https://attack.mitre.org/groups/G0117/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Fox Kitten has used prodump to dump credentials from LSASS. · ref
T1003.003 NTDS TA0006
  • OS Credential Dumping: NTDS - Fox Kitten has used Volume Shadow Copy to access credential information from NTDS. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Fox Kitten has used RDP to log in and move laterally in the target environment. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - Fox Kitten has used valid accounts to access SMB shares. · ref
T1021.004 SSH TA0008
  • Remote Services: SSH - Fox Kitten has used the PuTTY and Plink tools for lateral movement. · ref
T1021.005 VNC TA0008
  • Remote Services: VNC - Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - Fox Kitten has base64 encoded scripts to avoid detection. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Fox Kitten has base64 encoded payloads to avoid detection. · ref
T1036.004 Masquerade Task or Service TA0005
  • Masquerading: Masquerade Task or Service - Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary. · ref
T1059.001 PowerShell TA0002
  • PowerShell - Fox Kitten has used PowerShell scripts to access credential data. · ref
T1059.003 Windows Command Shell TA0002
  • Windows Command Shell - Fox Kitten has used cmd.exe likely as a password changing mechanism. · ref
T1087.001 Local Account TA0007
  • Account Discovery: Local Account - Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts. · ref
T1087.002 Domain Account TA0007
  • Account Discovery: Domain Account - Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts. · ref
T1136.001 Local Account TA0003
  • Create Account: Local Account - Fox Kitten has created a local user account with administrator privileges. · ref
T1213.005 Messaging Applications TA0009
  • Data from Information Repositories: Messaging Applications - Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - Fox Kitten has installed web shells on compromised hosts to maintain access. · ref
T1546.008 Accessibility Features TA0003 TA0004
  • Event Triggered Execution: Accessibility Features - Fox Kitten has used sticky keys to launch a command prompt. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - Fox Kitten has accessed files to gain valid credentials. · ref
T1555.005 Password Managers TA0006
  • Credentials from Password Stores: Password Managers - Fox Kitten has used scripts to access credential information from the KeePass database. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - Fox Kitten has used 7-Zip to archive data. · ref
T1585.001 Social Media Accounts TA0042
  • Social Media Accounts - Fox Kitten has used a Twitter account to communicate with ransomware victims. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.