An Iran-based hacker group called Pioneer Kitten is infiltrating defense, education, financial, and healthcare organizations across the United States, working with partners from multiple ransomware operations to extort victims.

The threat group (also known as Fox Kitten, UNC757 and Parisite) has been active since at least 2017 and is said to have ties to the Iranian government.

As CISA, the FBI, and the U.S. Department of Defense Cyber ​​Crime Center explained today in a joint alert, the attackers are monetizing their access to compromised organizations’ networks by selling domain administrator credentials and full domain control rights on cyber marketplaces, using the handles “Br0k3r” and, more recently, “xplfinder.”

“Recently, the FBI discovered that these actors are working directly with ransomware affiliates to facilitate encryption operations in exchange for a percentage of ransom payments. These actors have worked with ransomware affiliates NoEscape, Ransomhouse, and ALPHV (also known as BlackCat),” the federal authorities said.

“The involvement of Iranian cyber actors in these ransomware attacks goes beyond providing access; they work closely with ransomware partners to lock down victims’ networks and develop strategies to extort victims.”

While Pioneer Kitten works closely with ransomware operators in these attacks, the company keeps its “partners” in the dark because threat actors do not disclose their nationality or origin to the ransomware operators they work with.

Since July 2024, Pioneer Kitten threat actors have been looking for Check Point Security Gateways that may be vulnerable to CVE-2024-24919.

In addition, they have been conducting mass scans of Palo Alto Networks PAN-OS and GlobalProtect VPN devices since April 2024, likely as part of the hunt for devices vulnerable to a highest severity command injection vulnerability (CVE-2024-3400).

In the past, the threat group has been known to target organizations by exploiting Citrix Netscaler exploits CVE-2019-19781 and CVE-2023-3519, as well as CVE-2022-1388 exploits against BIG-IP F5 devices.

In July 2020, Pioneer Kitten was also observed attempting to sell access to compromised networks on underground forums, suggesting an attempt to diversify the hacker group’s revenue streams.

In another joint alert in September 2020, CISA and the FBI warned that the Pioneer Kitten threat group “has the ability and likely intent to deploy ransomware on victims’ networks” and that it had been observed “selling access to compromised network infrastructure in an online hacker forum.”

According to an FBI analysis, the Iran-based hackers are linked to the Iranian government and use the Iranian company name “Danesh Novin Sahand” as a cover. They are also linked to data theft attacks targeting organizations in Israel and Azerbaijan that supported Iranian government interests.