threatintel
actor tracker
All actors

Pioneer Kitten

pioneer-kitten · primary source: CrowdStrike · first observed 2016
IR · IranState-sponsoredHigh confidencelast cited Aug 27, 2024 · 1.7y ago

Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services front company. Operates as an initial-access broker: weaponizes edge-device n-days (Citrix NetScaler, F5 BIG-IP, Pulse Connect Secure, Check Point Security Gateways) to obtain footholds at U.S., Israeli, and UAE targets, then sells access to or collaborates with ransomware affiliates including ALPHV/BlackCat and NoEscape to deploy ransomware downstream.

Aliases

Fox KittenOtherLemon SandstormMicrosoftUNC757MandiantParisiteOtherRUBIDIUMMicrosoft

Motivations

espionagefinancial gainaccess brokerage

Target sectors

educationfinancialhealthcaredefensegovernment

Target countries

USILAEAZGB

Lineage & relationships

full graph →
Affiliated withPioneer Kittenthis actorALPHV/BlackCat??Ransomware
Affiliated with
ALPHV/BlackCat

Sold downstream access to ALPHV/BlackCat per CISA AA24-241A

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Pioneer Kitten
  • Iran
  • espionage
  • financial gain
  • access brokerage
Capability
Infrastructure
  • githubapp.net
  • 138.68.90.19
  • api.gupdate.net
Victim
  • education
  • financial
  • healthcare
  • US
  • IL
  • +1 more

MITRE ATT&CK techniques

T1190T1133T1078T1486

Timeline

1 event
  1. AdvisoryHigh2024-08-28·CISA

    CISA/FBI/DC3 joint advisory AA24-241A names Pioneer Kitten as IAB

    FBI, CISA, and the DoD Cyber Crime Center issued joint advisory AA24-241A attributing a campaign of edge-device exploitation and subsequent access-brokering to ransomware affiliates (including ALPHV/BlackCat and NoEscape) to Iran-based Pioneer Kitten / Fox Kitten, assessed as connected to the Government of Iran. The advisory called out exploitation of Check Point Security Gateway CVE-2024-24919, Palo Alto PAN-OS CVE-2024-3400, and Citrix and F5 n-days as the primary access vectors.

    iranaccess-brokeredge-devicesjoint-advisory

Indicators of compromise

4 indicators
csv
TypeValueFirst seenSource
Domain
githubapp[.]net
Pioneer Kitten infrastructure domain listed in CISA AA24-241A Table 10 (Indicators of Compromise - Recent). First observed February 2024 and still active through August 2024 per the joint FBI/CISA/DC3 advisory.
Jan 31, 2024CISA
IPv4
138[.]68[.]90[.]19
DigitalOcean-hosted IP observed by FBI in Pioneer Kitten operations January-August 2024, listed in Table 10 of CISA AA24-241A. The group exploits edge devices (Citrix Netscaler CVE-2019-19781/CVE-2023-3519, F5 BIG-IP CVE-2022-1388, Ivanti CVE-2024-21887, PanOS CVE-2024-3400, Check Point CVE-2024-24919) for initial access.
Dec 31, 2023CISA
Name
netscaler.1
Credential-capturing webshell artifact dropped by Pioneer Kitten on compromised Citrix Netscaler appliances - the file collects login credentials and is placed in the same directory as a PHP webshell (ctxHeaderLogon.php / netscaler.php) per CISA AA24-241A.
Sep 30, 2023CISA
Domain
api[.]gupdate[.]net
Recent infrastructure domain listed in Table 10 of CISA AA24-241A (FBI/CISA/DC3 joint advisory, 28 Aug 2024) on Iran-based Pioneer Kitten / Fox Kitten / UNC757 / Parisite / Lemon Sandstorm / Br0k3r enabling ransomware affiliates NoEscape, RansomHouse and ALPHV/BlackCat. First observed September 2022, most recently August 2024.
Aug 31, 2022CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). Pioneer Kitten — actor profile. Retrieved from https://threatintel.local/actors/pioneer-kitten

latest cited activity · 2024-08-28 · 4 cataloged indicators