{ "id": "7c27f381-51c8-4995-b076-2ac171d2d963", "created_at": "2026-04-06T00:06:52.643173Z", "updated_at": "2026-04-10T03:33:28.596558Z", "deleted_at": null, "sha1_hash": "01cab90add7c95a0a98599d854af0f78f8688747", "title": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173996, "plain_text": "Iran-based Cyber Actors Enabling Ransomware Attacks on US\r\nOrganizations | CISA\r\nPublished: 2024-08-28 · Archived: 2026-04-05 15:40:04 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department\r\nof Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders\r\nthat, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes\r\norganizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well\r\nas local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI\r\nassesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and\r\ndevelop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses\r\nthese Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity\r\n—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive\r\ntechnical data against organizations in Israel and Azerbaijan).\r\nThis CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as\r\nwell as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the\r\nFBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI\r\ninvestigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements\r\nwith numerous entities impacted by this malicious activity.\r\nThe FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend\r\nagainst the Iranian cyber actors’ activity.\r\nIf organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend\r\nimmediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting\r\nForm (see the Reporting section of this advisory for more details and contact methods).\r\nFor more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nThreat Actor Details\r\nBackground on Threat Group and Prior Activity\r\nThis advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer\r\nnetwork intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised\r\norganizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group\r\nis known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon\r\nSandstorm.[1 ][2 ] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating\r\nunder the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent\r\nwith a cyber actor with Iranian state-sponsorship.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 1 of 10\n\nThe FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A\r\nsignificant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical\r\naccess to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as\r\ndomain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating\r\ndirectly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.\r\nThese actors have collaborated with the ransomware affiliates NoEscape[3 ], Ransomhouse[4 ], and ALPHV (aka\r\nBlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes\r\nbeyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches\r\nto extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate\r\ncontacts and are intentionally vague as to their nationality and origin.\r\nFurthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign\r\nknown as Pay2Key.[5 ],[6 ] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud\r\ninfrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging\r\ntheir prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the\r\nactors publicized news of their compromise (including on social media), tagging accounts of victim and media\r\norganizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence\r\nvictims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI\r\nassesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.\r\nAttribution Details\r\nFBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in\r\nsupport of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity.\r\nThis group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not\r\nof interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan,\r\nUnited Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group\r\nmaintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as\r\nthe actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious\r\nactivity.\r\nThe group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT\r\nentity for the group’s malicious cyber activities.\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 15.1. See the MITRE\r\nATT\u0026CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and\r\ntechniques. For assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and\r\nMITRE ATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nOverview of Observed Tactics, Techniques, and Procedures\r\nThe Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain\r\ninitial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check\r\nPoint Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors\r\nhave conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The\r\nactors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group\r\nhas exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.\r\nReconnaissance, Initial Access, Persistence, and Credential Access\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 2 of 10\n\nThe actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices\r\nvulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking\r\ndevice, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti\r\nVPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596 ][T1190 ].\r\nFollowing exploitation of vulnerable devices, the actors use the following techniques:\r\nCapture login credentials using webshells on compromised Netscaler devices and append to file named\r\nnetscaler.1 in the same directory as the webshell [T1505.003 ][T1056 ].\r\nCreate the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003 ].\r\nMalicious files deployed to this directory include:\r\nnetscaler.1\r\nnetscaler.php\r\nctxHeaderLogon.php\r\nSpecifically related to Netscaler, place additional webshells on compromised devices immediately after system\r\nowners patch the exploited vulnerability [T1505.003 ]. The following file locations and filenames have been\r\nobserved on devices:\r\n/netscaler/logon/LogonPoint/uiareas/ui_style.php\r\n/netscaler/logon/sanpdebug.php\r\nCreate the directory /xui/common/images/ on targeted IP addresses [T1133 ].\r\nCreate accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,”\r\nand “John McCain” [T1136.001 ].\r\nRequest exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim\r\nnetwork [T1098 ].\r\nCreate malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL\r\nside-loading technique against the signed Microsoft SysInternals executable contig.exe , which may be renamed to\r\ndllhost.ext , to load a payload from version.dll. This file has been observed being executed from the Windows\r\nDownloads directory [T1053 ]. \r\nPlace a malicious backdoor version.dll in C:\\Windows\\ADFS\\ directory [T1505.003 ].\r\nUse a scheduled task to load malware through installed backdoors [T1053 ].\r\nDeployment of Meshcentral to connect with compromised servers for remote access [T1219 ].\r\nFor persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random\r\neight characters and attempt execution of a similarly named DLL contained in the C:\\Windows\\system32\\drivers \\\r\ndirectory. For example, a service named “test” was observed attempting to load a file located at\r\nC:\\WINDOWS\\system32\\drivers\\test.sys [T1505 ].\r\nExecution, Privilege Escalation, and Defense Evasion\r\nRepurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other\r\napplications (i.e., Citrix XenDesktop) [T1078.003 ].\r\nRepurpose administrative credentials of network administrators to log into domain controllers and other\r\ninfrastructure on victim networks [T1078.002 ].\r\nUse administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less\r\nsecure level [T1562.001 ][T1562.010 ].\r\nAttempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools\r\nallowlisted [T1562.001 ].\r\nUse a compromised administrator account to initiate a remote desktop session to another server on the network. In\r\none instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell\r\nIntegrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including\r\nfiles.catbox[.]moe . Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism\r\n[T1059.001 ].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 3 of 10\n\nDiscovery\r\nExport system registry hives and network firewall configurations on compromised servers [T1012 ].\r\nExfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—\r\npresumably to gather network and user account information for use in further exploitation efforts [T1482 ].\r\nCommand and Control\r\nInstall “AnyDesk” remote access program as a backup access method [T1219 ].\r\nEnable servers to use Windows PowerShell Web Access [T1059.001 ].\r\nUse the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572 ].\r\nUse NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572 ].\r\nExfiltration and Impact\r\nAfter infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse,\r\nand ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to\r\nvictim networks, locking victim networks, and strategizing to extort victims [T1657 ]. The actors also conduct what is\r\nassessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010 ], likely in support of the\r\nGOI.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 1. Reconnaissance\r\nTechnique Title ID Use or Assessed Use\r\nSearch Open Technical\r\nDatabases\r\nT1596 Iranian cyber actors use Shodan ( Shodan[.]io ) to identify internet\r\ninfrastructure hosting devices vulnerable to particular CVEs.\r\nTable 2. Initial Access\r\nTechnique Title ID Use or Assessed Use\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nIranian cyber actors scan and exploit public-facing networking devices,\r\nincluding the following devices and associated CVEs:\r\nCitrix Netscaler (CVEs-2019-19781 and CVE-2023-3519)\r\nF5 BIG-IP (CVE-2022-1388)\r\nPulse Secure/Ivanti VPNs (CVE-2024-21887)\r\nPanOS firewalls (CVE-2024-3400)\r\nCheck Point Security Gateways (CVE-2024-24919)\r\nExternal Remote\r\nServices\r\nT1133 Iranian cyber actors create /xui/common/images/ directory on targeted IP\r\naddresses.\r\nTable 3. Persistence\r\nTechnique Title ID Use or Assessed Use\r\nServer Software\r\nComponent: Web\r\nShell\r\nT1505.003 Iranian cyber actors capture login credentials on compromised Netscaler devices\r\nvia deployed webshell; create a directory on Netscaler devices for webshell\r\ndeployment; deploy webshells on compromised Netscaler devices in two\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 4 of 10\n\nTechnique Title ID Use or Assessed Use\r\ndirectories (observed closely after system owning patching); and place the\r\nmalicious backdoor version.dll .\r\nCreate Account\r\n(Local Account)\r\nT1136.001\r\nIranian cyber actors create local accounts on victim networks.\r\nAccount\r\nManipulation\r\nT1098\r\nIranian cyber actors request exemptions to zero-trust application for tools they\r\nintend to deploy.\r\nScheduled\r\nTask/Job\r\nT1053\r\nIranian cyber actors implement a scheduled task that uses a DLL side-loading\r\ntechnique and a scheduled task that loads malware through back doors.\r\nServer Software\r\nComponent\r\nT1505\r\nIranian cyber actors implement the daily creation of a Windows service task for\r\npersistence as detection and mitigation occur.\r\nTable 4. Privilege Escalation\r\nTechnique Title ID Use or Assessed Use\r\nValid Accounts: Local\r\nAccounts\r\nT1078.003 Iranian cyber actors repurpose compromised credentials (e.g., from a\r\nNetscaler device) to log into other applications.\r\nValid Accounts:\r\nDomain Accounts\r\nT1078.002 Iranian cyber actors repurpose administrative credentials of network admins\r\nto log into domain controllers and other infrastructure.\r\nTable 5. Defense Evasion\r\nTechnique Title ID Use or Assessed Use\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nT1562.001 Iranian cyber actors use administrator credentials to disable antivirus and\r\nsecurity software.\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nT1562.001 Iranian cyber actors attempt to enter security exemption tickets to the\r\nnetwork security device or contractor to get their tools allowlisted.\r\nImpair Defenses:\r\nDowngrade Attack\r\nT1562.010\r\nIranian cyber actors lower PowerShell policies to a less secure level.\r\nTable 6. Credential Access\r\nTechnique\r\nTitle\r\nID Use or Assessed Use\r\nInput Capture\r\nT1056\r\n \r\nIranian cyber actors capture login credentials on compromised Netscaler devices via a\r\ndeployed webshell.\r\nTable 7. Execution\r\nTechnique Title ID Use or Assessed Use\r\nCommand and Scripting\r\nT1059.001 Iranian cyber actors use an admin account to initiate a remote desktop\r\nsession to start Microsoft Windows PowerShell ISE.\r\nCommand and Scripting\r\nInterpreter\r\nT1059.001 Iranian cyber actors enable servers to use Windows PowerShell Web\r\nAccess.\r\nTable 8. Discovery\r\nTechnique Title ID Use or Assessed Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 5 of 10\n\nTechnique Title ID Use or Assessed Use\r\nQuery Registry\r\nT1012\r\nIranian cyber actors export registry hives and network firewall configurations.\r\nDomain Trust\r\nDiscovery\r\nT1482 Iranian cyber actors exfiltrate account usernames from the domain controller and\r\naccess configuration files and logs.\r\nTable 9. Command and Control\r\nTechnique Title ID Use or Assessed Use\r\nRemote Access\r\nSoftware\r\nT1219\r\nIranian cyber actors install “AnyDesk” remote access program.\r\nIranian cyber actors deploy Meshcentral to connect with compromised servers for\r\nremote access.\r\nProtocol\r\nTunneling\r\nT1572 Iranian cyber actors use ligolo / ligolo-ng for open source tunneling and\r\nngrok[.]io NGROK to create outbound connections to a random subdomain.\r\nIndicators of Compromise\r\nIP Address and Domain Identifiers\r\nDisclaimer: The IP addresses and domains listed in Table 10 were observed in use by the actors in the specified timeframes\r\nin 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such\r\nas blocking.\r\nComment: In addition to the infrastructure provided in the table below, the FBI and CISA warn that these actors are known\r\nto leverage information obtained through intrusions into cloud-computing resources associated with victim organizations.\r\nThe actors have used this cloud infrastructure to conduct further cyber operations targeting other organizations. The FBI\r\nobserved use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any\r\norganization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your\r\ncloud services accounts to conduct malicious cyber activity and target other victims. The FBI has observed instances of the\r\nactors using compromised cloud service accounts to transmit data stolen from other compromised organizations.\r\nTable 10. Indicators of Compromise – Recent\r\nIndicator First Seen Most Recently Observed Date\r\n138.68.90[.]19 January 2024 August 2024\r\n167.99.202[.]130 January 2024 August 2024\r\n78.141.238[.]182 July 2024 August 2024\r\n51.16.51[.]81 January 2024 August 2024\r\n51.20.138[.]134 February 2024 August 2024\r\n134.209.30[.]220 March 2024 August 2024\r\n13.53.124[.]246 February 2024 August 2024\r\napi.gupdate[.]net September 2022 August 2024\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 6 of 10\n\nIndicator First Seen Most Recently Observed Date\r\ngithubapp[.]net February 2024 August 2024\r\nDisclaimer: The infrastructure in Table 11 reflects historical IP addresses and domains associated with these actors. This\r\ndata is being provided for informational purposes and to enable better tracking and attribution of these actors. The FBI and\r\nCISA do not recommend blocking of the indicators in Table 11 based solely on their inclusion in this CSA.\r\nTable 11. Indicators of Compromise – Historical\r\nIndicator First Seen Most Recently Observed Date\r\n18.134.0[.]66 September 2023 November 2023\r\n193.149.190[.]248 September 2023 January 2024\r\n45.76.65[.]42 September 2023 December 2023\r\n206.71.148[.]78 October 2023 January 2024\r\n193.149.187[.]41 October 2023 November 2023\r\nlogin.forticloud[.]online October 2023 November 2023\r\nfortigate.forticloud.[]online October 2023 November 2023\r\ncloud.sophos[.]one October 2023 November 2023\r\nActor Identifiers\r\nDisclaimer: The FBI observed the following identifiers associated with the Iranian cyber group and their ransomware\r\naffiliates. The FBI is providing this information to enable improved threat actor identification and tracking of malicious\r\ncyber activity. Please see Appendix A for list of TOX identifiers.\r\nThe FBI observed the threat actors to be associated with the following bitcoin address values:\r\nbc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0\r\nbc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs\r\nbc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh\r\nbc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky\r\nbc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp\r\nbc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc\r\nbc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr\r\nbc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne\r\nbc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq\r\nbc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm\r\nbc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8\r\nbc1q6w2an66vrje747scecrgzucw9ksha66x9zt980\r\nbc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9\r\nbc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489\r\nMitigations\r\nThe FBI and CISA recommend all organizations implement the mitigations listed below to improve their cybersecurity\r\nposture based on the Iranian cyber group’s activity. The FBI judges the group’s targeting is primarily based on the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 7 of 10\n\nidentification of devices vulnerable to CVEs named in this notification (see Technical Details section for a list of CVEs). As\r\nsuch, any U.S. organization deploying software with these vulnerabilities may be targeted for further exploitation and should\r\nfollow this guidance to defend against exploitation by this group.\r\nThese mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the\r\nNational Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that\r\nCISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity\r\nframeworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.\r\nVisit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional\r\nrecommended baseline protections.\r\nThe FBI and CISA recommend all organizations implement the following mitigations:\r\nReview available logs for IP addresses in Table 10 for indications of traffic with your organization’s network in the\r\nprovided timeframes [CPG 3.A]. The indicators in Table 11 should also be reviewed to identify historical activity or\r\nincidents which may have previously been identified by your organization.\r\nApply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519\r\n[CPG 1.E].\r\nBe advised, patching for the above referenced CVEs may be insufficient to mitigate malicious activity if your\r\nnetwork has already been compromised by these actors while the network device was vulnerable. Additional\r\ninvestigation into the use of stolen credentials (e.g., via the webshell on Netscaler devices) is strongly\r\nencouraged to identify threat actor attempts to establish footholds on other parts of the network [CPG 3.A].\r\nCheck your systems for the unique identifiers and TTPs used by the actors when operating on compromised\r\nnetworks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of webshells in\r\nspecific directories [CPG 3.A].\r\nCheck your systems for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io [CPG 3.A].\r\nValidate Security Controls\r\nIn addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory.\r\nThe authoring agencies recommend testing your existing security controls inventory to assess how they perform against the\r\nATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 2 to Table 10).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nReferences\r\n1. Fox Kitten, UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm, Group G0117 | MITRE ATT\u0026CK®\r\n \r\n2. PIONEER KITTEN: Targets \u0026 Methods [Adversary Profile] (crowdstrike.com)\r\n3. NoEscape - SentinelOne\r\n4. RansomHouse - SentinelOne\r\n5. Pay2Key, Software S0556 | MITRE ATT\u0026CK®\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 8 of 10\n\n6. Pay2Key Ransomware Alert - Check Point Research\r\nReporting\r\nYour organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If,\r\nafter reviewing the information provided, your organization decides to provide information to the FBI, reporting must be\r\nconsistent with applicable state and federal laws.\r\nRansomware Incidents\r\nThe FBI and CISA are interested in any information that can be shared in the case of a ransomware incident, to include\r\nboundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat\r\nactors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.\r\nAdditional details of interest include a targeted company point of contact, status and scope of infection, estimated loss,\r\noperational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based\r\nindicators.\r\nThe FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered.\r\nFurthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to\r\nengage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have\r\ndecided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime\r\nComplain Center (IC3), your local FBI Field Office, or CISA via the agency’s Incident Reporting Form or its 24/7\r\nOperations Center (report@cisa.gov ), or by calling 1-844-Say-CISA (1-844-729-2472).\r\nOther Incidents\r\nU.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to the\r\nFBI’s Internet IC3 or your local FBI Field Office. Report suspicious or malicious cyber activity to CISA via the agency’s\r\nIncident Reporting Form or its 24/7 Operations Center (report@cisa.gov ) or by calling 1-844-Say-CISA (1-844-729-\r\n2472). When available, please include the following information regarding the incident: date, time, and location of the\r\nincident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting\r\ncompany or organization; and a designated point of contact.\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse\r\nany commercial entity, product, company, or service, including any entities, products, or services linked within this\r\ndocument. Any reference to specific commercial entities, products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.\r\nVersion History\r\nAugust 20, 2024: Initial version.\r\nAppendix A: TOX Identifiers\r\nTOX Identifier TOX Public Key Comment\r\nxplfinder ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f7c7c69\r\nIranian\r\ncyber grou\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 9 of 10\n\nTOX Identifier TOX Public Key Comment\r\nBr0k3r B761680E23F2EBB5F6887D315EBD05B2D7C365731E093B49ADB059C3DCCAA30C\r\nIranian\r\ncyber grou\r\nAccess 185ADA4556737A4F26AE16F1A99CA82AB5684C32719EE426C420C0BC14384A0A\r\nRansomw\r\naffiliate\r\nAdmin ALPHV aka\r\nBlackCat\r\n3488458145EB62D7D3947E3811234F4663D9B5AEEF6584AB08A2099A7F946664\r\nRansomw\r\naffiliate\r\nAdmin_NoEscape 0A6F992E1372DB4F245595424A7436EBB610775D6ADDC4D568ACC2AF5D315221\r\nRansomw\r\naffiliate\r\nAmericano_Sneeckers 14F8AD7D1553D1A47CF4C9E7BEDABCC5B759C86E54C636175A472C11D7DEC70F\r\nRansomw\r\naffiliate\r\nBettersock 2C76104C9AAAF32453A814C227E7D9D755451B551A3FD30D2EA332DF396B3A31\r\nRansomw\r\naffiliate\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" ], "report_names": [ "aa24-241a" ], "threat_actors": [ { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434012, "ts_updated_at": 1775792008, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/01cab90add7c95a0a98599d854af0f78f8688747.pdf", "text": "https://archive.orkl.eu/01cab90add7c95a0a98599d854af0f78f8688747.txt", "img": "https://archive.orkl.eu/01cab90add7c95a0a98599d854af0f78f8688747.jpg" } }