An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims.

The threat group (also tracked as Fox Kitten, UNC757, and Parisite) has been active since at least 2017 and is believed to have a suspected nexus to the Iranian government.

The Iran-based hackers are associated with the Government of Iran (GOI), and they’re also behind data theft attacks targeting organizations in Israel and Azerbaijan in support of the GOI’s interests, according to the FBI.

As CISA, the FBI, and the Defense Department’s Cyber Crime Center warned today in a joint advisory, the attackers are monetizing their access to compromised organizations’ networks by selling domain admin credentials and full domain control privileges on cyber marketplaces while using the ‘Br0k3r’ and, more recently, ‘xplfinder’ handles.

“More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat),” the federal agencies said.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims.”

While working closely with ransomware operators in these attacks, Pioneer Kitten keeps its “partners” in the dark since the threat actors don’t disclose their nationality and origin to the ransomware operators they work with.

As of July 2024, Pioneer Kitten threat actors have been scanning for Check Point Security Gateways potentially vulnerable to CVE-2024-24919.

Also, since April 2024, they’ve also conducted mass scans for Palo Alto Networks PAN-OS and GlobalProtect VPN devices, likely as part of probing for devices vulnerable to a maximum severity command injection vulnerability (CVE-2024-3400).

Historically, the threat group has been known for targeting organizations by leveraging Citrix Netscaler CVE-2019-19781 and CVE-2023-3519 exploits, and CVE-2022-1388 exploits against BIG-IP F5 devices.

Pioneer Kitten was also seen trying to sell access to compromised networks on underground forums in July 2020, pointing to an attempt to diversify the hacking group’s revenue stream.

In another joint advisory issued in September 2020, CISA and the FBI warned that the Pioneer Kitten threat group “has the capability, and likely the intent, to deploy ransomware on victim networks” and that they’ve been spotted “selling access to compromised network infrastructure in an online hacker forum.”