Fox Kitten
Aliases: UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.
Open interactive actor investigation
ATT&CK techniques
T1105
Ingress Tool TransferT1059
Command and Scripting InterpreterT1530
Data from Cloud StorageT1018
Remote System DiscoveryT1110
Brute ForceT1210
Exploitation of Remote ServicesT1136.001
Local AccountT1560.001
Archive via UtilityT1027.010
Command ObfuscationT1005
Data from Local SystemT1585
Establish AccountsT1021.005
VNCT1552.001
Credentials In FilesT1217
Browser Information DiscoveryT1059.003
Windows Command ShellT1027.013
Encrypted/Encoded FileT1213.005
Messaging ApplicationsT1021.002
SMB/Windows Admin SharesT1190
Exploit Public-Facing ApplicationT1555.005
Password ManagersT1003.003
NTDST1087.001
Local AccountT1087.002
Domain AccountT1021.004
SSHT1505.003
Web ShellT1053.005
Scheduled TaskT1036.004
Masquerade Task or ServiceT1003.001
LSASS MemoryT1090
ProxyT1012
Query RegistryT1572
Protocol TunnelingT1021.001
Remote Desktop ProtocolT1102
Web ServiceT1039
Data from Network Shared DriveT1078
Valid AccountsT1046
Network Service DiscoveryT1546.008
Accessibility FeaturesT1585.001
Social Media AccountsT1036.005
Match Legitimate Name or LocationT1059.001
PowerShellT1083
File and Directory Discovery
Ingress Tool TransferT1059
Command and Scripting InterpreterT1530
Data from Cloud StorageT1018
Remote System DiscoveryT1110
Brute ForceT1210
Exploitation of Remote ServicesT1136.001
Local AccountT1560.001
Archive via UtilityT1027.010
Command ObfuscationT1005
Data from Local SystemT1585
Establish AccountsT1021.005
VNCT1552.001
Credentials In FilesT1217
Browser Information DiscoveryT1059.003
Windows Command ShellT1027.013
Encrypted/Encoded FileT1213.005
Messaging ApplicationsT1021.002
SMB/Windows Admin SharesT1190
Exploit Public-Facing ApplicationT1555.005
Password ManagersT1003.003
NTDST1087.001
Local AccountT1087.002
Domain AccountT1021.004
SSHT1505.003
Web ShellT1053.005
Scheduled TaskT1036.004
Masquerade Task or ServiceT1003.001
LSASS MemoryT1090
ProxyT1012
Query RegistryT1572
Protocol TunnelingT1021.001
Remote Desktop ProtocolT1102
Web ServiceT1039
Data from Network Shared DriveT1078
Valid AccountsT1046
Network Service DiscoveryT1546.008
Accessibility FeaturesT1585.001
Social Media AccountsT1036.005
Match Legitimate Name or LocationT1059.001
PowerShellT1083
File and Directory Discovery
Correlated CTI and IR reports
Actor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionPioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionFox Kitten: Widespread Iranian Espionage-Offensive Campaign
ClearSky Cyber Security · actor contextIran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
FBI / CISA / DC3 · actor context
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionPioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionFox Kitten: Widespread Iranian Espionage-Offensive Campaign
ClearSky Cyber Security · actor contextIran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
FBI / CISA / DC3 · actor context