Nation-State Actor
Pioneer Kitten
Iran • Active since 2017
Pioneer Kitten breaks into companies through VPN bugs and then sells that access to ransomware gangs. They work for Iran but also make money on the side selling access to criminals.
Overview
Pioneer Kitten is an Iranian threat group that focuses on exploiting VPN and network appliance vulnerabilities. They also sell access to compromised networks to ransomware operators.
Also Known As
Fox Kitten, Parasite, Parisite, UNC757
Target Industries
IT Services, Government, Healthcare, Finance, Defense
Target Regions
United States, Israel, Europe, Middle East
Is your business exposed?
Tactics, Techniques & Procedures
- • VPN appliance exploitation
- • Network access brokering
- • Ransomware partnership
- • Pulse Secure/Citrix/F5 targeting
- • SSH tunneling
Known Tools & Malware
Chisel, FRPC, Custom SSH tunnels, Pay2Key, Web shells
Notable Campaigns
VPN Exploitation Campaign (2020)
Mass exploitation of VPN vulnerabilities in Pulse Secure and Citrix.
Ransomware Collaboration (2024)
FBI advisory about selling access to ransomware affiliates.
MITRE ATT&CK Techniques
T1190, T1133, T1572, T1021.004, T1486
Defense Recommendations
- 1.
Patch VPN appliances immediately
- 2.
Monitor for tunneling indicators
- 3.
Review network appliance logs
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required