{ "id": "c152b7da-d1fc-4440-96dc-ba97fa16015e", "created_at": "2026-04-06T00:07:09.605864Z", "updated_at": "2026-04-10T03:33:28.642361Z", "deleted_at": null, "sha1_hash": "07d89b2e55523f0118e6d684092b7fb8b7c99787", "title": "Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 151555, "plain_text": "Analysis of Fox Kitten Infrastructure Reveals Unique Host\r\nPatterns and Potentially New IOCs\r\nBy Jean Pierre Ruiz Ocampo\r\nPublished: 2025-01-07 · Archived: 2026-04-05 20:48:56 UTC\r\nExecutive Summary\r\nBackground\r\nOn August 28, 2024, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency\r\n(CISA), and the Department of Defense Cyber Crime Center (DC3) published a joint Cybersecurity Advisory\r\n(CSA) “to warn network defenders that, as of August 2024, a group of Iran-based cyber actors” (aka “Fox Kitten”)\r\ncontinues to exploit U.S. and foreign organizations.”[1] The CSA included a list of 17 IOCs (12 IP\r\naddresses/hosts, five domain names) with “First Seen” and “Most Recently Observed” dates but added, defenders\r\nshould “investigate or vet these IP addresses prior to taking action….” and “[T]he FBI and CISA do not\r\nrecommend blocking of the indicators in Table 11 based solely on their inclusion in this CSA.”\r\nCensys’ Perspective\r\nCensys assisted defenders in these tasks of investigation and vetting by leveraging its historical, global internet\r\nperspective to analyze the IOCs’ profiles during the timeframe of nefarious activity outlined in the CSA. This\r\nallows defenders to compare those historical profiles against the hosts’ current dispositions and determine if\r\nenough similarities exist to recommend blocking the IOCs in question.\r\nCensys’ Findings\r\nBy investigating the hosts connected to the IOC IPs as well as the hosts and certificates connected to the domain\r\nIOCs listed in the FBI/CISA Advisory for Fox Kitten, Censys was able to uncover extremely unique patterns\r\namongst these hosts over time. These patterns were then used in searches to:\r\nFind active hosts not mentioned in the Advisory that have:\r\nMatching patterns and Autonomous Systems (ASs) as Hosts D, E, \u0026 G from the report, and\r\ncould be part of the same infrastructure to possibly be used in future attacks\r\nMatching domain IOCs to Host G and matching ASs to Hosts J \u0026 C from the report and could be\r\npart of the same infrastructure to possibly be used in future attacks\r\nIdentify timeframes outside of those specified in the Advisory where IOC hosts appear similar or identical\r\nto the timeframes of nefarious activities, possibly indicating previously unknown durations of threat\r\nactivity\r\nFind current certificates with matching domain IOCs that could be used on future hosts.\r\nAnalysis\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 1 of 6\n\nCensys uncovered unique and unusual patterns observed historically on the IOC hosts that seem to have no\r\nknown, legitimate use. Therefore, the active hosts that match these patterns, discovered via Censys Search are, at\r\nworst, part of the Fox Kitten infrastructure and at best, still worth consideration for cyber defenders to guard\r\nagainst as they seem to have no legitimate business function. The same can be said for the two active hosts that\r\nhave matching domain IOCs.\r\nFox Kitten Analysis Link Diagram\r\nLink analysis diagram of Indicators of Compromise (IOCs) listed in Joint CSA AA24-241A\r\nConsolidated list of IOCs from Joint CSA AA24-241A\r\nConsolidated list of IOCs from Joint CSA AA24-241A\r\nKey Findings\r\nCommonalities Amongst IP IOCs from Report\r\n9 of the 12 hosts share geolocations\r\n7  hosts = London, UK (Hosts B, C, F,H,I, K, L)\r\n2 hosts = Stockholm, SWE (Hosts E, G)\r\n1 host each=  Frankfurt, DE (Host A) Los Angeles, US (Host J) Tel Aviv, IS (Host D)\r\nAll of the hosts have an Autonomous System Number in common with at least one other host from the\r\ngroup\r\nAS 14061 (DIGITALOCEAN-ASN) = Hosts A, B, F\r\nAS 16509 (AMAZON-02) = Hosts D, E, G, H\r\nAS 399629 (BLNWX) = Hosts I, K, L\r\nAS 20473 (AS-CHOOPA) = Hosts C, J\r\nHosts D, E \u0026 G are not “identical” but share nearly identical patterns of ports, certificate names, and\r\nsoftware/HTTP Titles; these patterns match findings from a Censys Mirth Connect blog from May 2024.\r\nAn assessment from the blog stated that hosts with these characteristics indicated “a particular variety of\r\nhoneypot-like entities that seem designed to catch internet scanners.”\r\nPatterns during times of interest from the report include:\r\nA long list (20+) of open services/ports, the vast majority of which are HTTP\r\nHTTP ports with HTML Titles and/or software fingerprints for\r\nMirth Connect (also covered in Censys Rapid Response (RR) blog)\r\nIvanti Connect Secure (covered in RR blog,  RR 08APR24 Advisory)\r\nRay Dashboard (covered in RR 28MAR24 Advisory)\r\nF5 BIG-IP (covered in RR blog)\r\nConfluence\r\nKACE\r\nJetBrains Team City (only Host G)\r\nManageEngine (only Host G)\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 2 of 6\n\nCertificates presented on HTTP ports that are seemingly random, but reuse a list of names to appear part of\r\nlegitimate organizations, including “futureenergy.us,” next-finance.mil,” “schneider-electric.oil-bright.mil”\r\netc. The subdomains listed in some of the certificates include some of the same software types listed above\r\nincluding “kace”, “bigip” and “fortinet.”\r\nNote: Using the ‘tarpit’ label in Censys Search (especially on the same AS as Hosts D, E, \u0026 G) will help analysts\r\nfind more of these same hosts with certificates matching the same pattern as the ones mentioned above.\r\nAnalysis: It appears that the owners/operators of the IOC hosts may have been attempting to obfuscate relations\r\nbetween the hosts by choosing various ASs, locations, certificates and port configurations among other\r\ntechniques; however, by viewing the profiles of these IOC hosts in totality, patterns emerge that link the hosts.\r\nThese links, coupled with their identification as IOCs by the FBI/CISA/DC3, further the claim that they are\r\nrelated to nefarious activity.\r\nCommonalities in Initial Hosts Used to Uncover Possible Additional Infrastructure Not\r\nMentioned in FBI/CISA Report \r\nA search conducted for the “tarpit” label (indicating hosts with an unusually high number of ports open on\r\na host) on Censys Search within the same ASN as Hosts D, E, \u0026 G reveals a total of 38,862 hosts globally\r\nthat seem to match the same patterns of Hosts D, E, \u0026 G of:\r\nA long list (20+) of open services/ports, the vast majority of which are HTTP\r\nThose HTTP ports with running software that includes the list above but also includes Easy IO 30P,\r\nCheck Point (Check Point Security Gateways was also listed as a targeted software product in the\r\nFBI/CISA Advisory), and PanOS (again, listed in the FBI/CISA Advisory as targeted).\r\nCertificates on the HTTP ports follow the same pattern as those on Hosts D, E, \u0026 G\r\nNote: Host G exhibited these patterns in SEP \u0026 NOV23\r\nAnalysis: While further confirmation will be needed, it is logical that these hosts may be part of the same\r\ninfrastructure owned by the Fox Kitten group due to the amount of similarities between the hosts found through\r\nthese searches and the known bad actor Hosts D, E, \u0026 G listed in the FBI/CISA Advisory. This information can be\r\nused by organizations to add to watchlists or blacklists, especially if those hosts match the AS, country of origin,\r\nor have similar octets to the IPs uncovered via this search.\r\nCensys Observed 3 Domain IOCs on IOC IPs \r\nIOC 1 (api.gupdate[.]net) was observed by Censys in the Forward DNS records of Host C as early as\r\n14APR24 which is outside the activity time frame of July – August 2024 in the Advisory. The domain IOC\r\nwas also in name fields of certificates on the same host as early as 27MAY24.\r\nIOC 2 (githubapp[.]net) was observed first by Censys in the Forward DNS records of Host G on 24FEB24\r\nwhich coincides with the first active timeframe for this host in the Advisory. The IOC is still active on this\r\nhost and others as of the time of this report.\r\nIOCs 3 \u0026 4 (login.forticloud[.]online \u0026 fortigate.forticloud[.]online) were not observed historically on any\r\nhosts nor on any current hosts. However, the words “fortios,” “fortiproxy,” and “fortinet” have appeared on\r\ncertificates of Hosts D, G and other hosts mentioned in this report that match their patterns.\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 3 of 6\n\nIOC 5 (cloud.sophos[.]one) was observed by Censys in the Forward DNS records of Host K on 03OCT23.\r\nThis corresponds to the first active timeframe for this host as a part of Fox Kitten in the FBI/CISA\r\nAdvisory of October 2023. IOC 5 is not currently observed on any active hosts.\r\nCensys Observed Domain IOC 2 on Three Current/Active IPs Not Mentioned in the Advisory\r\nA search for IOC 2 on active hosts in Censys Search indicates that IOC 2 is currently in the forward DNS records\r\nof Host O as well as in certificates on Hosts M \u0026 N, none of which were not mentioned in the Advisory. Host O\r\nshares an AS with Hosts D, E, G, and H and Hosts M \u0026 N share an AS with Hosts C \u0026 J.\r\nRecommendation: Defenders should consider adding these host IPs (M= 64.176.165[.]17; N= 70.34.218[.]77; O\r\n= 18.130.251[.]165) to their watchlists or blocklists.”\r\nIOC IP Host Profiles Appear Similar or Identical Beyond the Timeframes Listed in the Report \r\nCensys investigated the profiles of hosts tied to the IP IOCs from the CSA and noticed that some host profiles\r\nlooked very similar or identical before or after the “First Seen” and “Most Recently Observed Date[s]” identified\r\nin the CSA. These observations may indicate previous or unreported attacks/activity.\r\nHost C: First seen JUL24; most recent AUG24. Censys observed an identical host profile of Host C as early as\r\nMAY24 which is before the first seen date in the CSA, during which IOC 1 can be seen on the host.\r\nCommonalities are depicted below.\r\nHost C Fox Kitten\r\nHost C: MAY24 (left), JUL24 (right)\r\nHost D: First seen JAN24; most recent AUG24. Censys observed a host profile of Host D in DEC23 similar to\r\nHost D’s profile in JAN24, which is one month prior to the first seen date in the CSA. Commonalities, depicted\r\nbelow, include a seemingly random, large number of HTTP ports open, software such as Confluence that match\r\nother hosts connected to Host D, as well as seemingly random certificate names that use the same set of keywords.\r\nHost D: First seen JAN24; most recent AUG24. Censys observed a host profile of Host D in DEC24 similar to\r\nHost D’s profile in JAN24, which is one month prior to the first seen date in the CSA. Commonalities, depicted\r\nbelow, include a seemingly random, large number of HTTP ports open, software such as Confluence that match\r\nother hosts connected to Host D, as well as seemingly random certificate names that use the same set of keywords.\r\nHost D: DEC23 (left), JAN24 (right)\r\nHost D: DEC23 (left), JAN24 (right)\r\nHost I: 1st seen SEP23; most recent JAN24. Censys observed a host profile of Host I in DEC23, identical to Host\r\nI’s profile in FEB24, which is one month following the most recent date in the CSA. All details are the same,\r\nincluding the SSH key fingerprints, depicted below.\r\nHost I Fox Kitten\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 4 of 6\n\nHost I: DEC23 (left), FEB24 (right)\r\n Censys Observed All Domain IOCs from the Advisory on 64 Currently Valid, Self-Signed\r\nCertificates\r\nIOC 1 (api.gupdate[.]net) = 3 valid certificates, 3 expired certificates; all issuers are Let’s Encrypt except\r\nfor one active certificate with issuer “unknown” with an expiration date in 2049. This certificate was also\r\nthe first generated with this domain, in 2018.\r\nIOC 2 (githubapp[.]net) = 11 valid certificates, 12 expired certificates; all issuers are Let’s Encrypt except\r\nfor one expired certificate with issuer “unknown” and one active certificate with issuer “unknown” with an\r\nexpiration date in 2049. Like IOC 1, this certificate was also the first generated with this domain, in 2018.\r\nIOC 3 (login.forticloud[.]online) = 19 valid certificates, 11 expired certificates; all issuers are Let’s\r\nEncrypt. The first certificate for this domain was generated in 2023.\r\nIOC 4 (fortigate.forticloud[.]online) = 5 valid certificates, 11 expired certificates; all issuers are Let’s\r\nEncrypt. The first certificate for this domain was generated in 2023.\r\nIOC 5 (cloud.sophos[.]com) = 26 valid certificates, 4 expired certificates; all issuers are Let’s Encrypt. The\r\nfirst certificate for this domain was generated in 2023.\r\nAnalysis: Defenders should continue monitoring for these IOCs within certificates since some host IP IOCs are\r\nstill active and there are 64 valid certificates that can be used on these hosts or others.\r\nConclusion\r\nBy studying the profiles of the hosts tied to the IOCs from the CSA over time, Censys uncovered patterns and\r\ncommonalities amongst those hosts, and then used those patterns and commonalities to identify other, currently\r\nactive hosts and certificates that may be part of the same Fox Kitten infrastructure. In the future, defenders can\r\nleverage IOCs, along with known periods of nefarious activity, to study host and certificate profiles before, during\r\nand after reported attacks to identify linkages, patterns, and common indicators. They can then leverage those\r\nfactors to conduct dynamic searches across public scan datasets like Censys’ to observe how those threats may\r\nstand up new infrastructure, leveraging the same techniques as previously observed.\r\nDespite attempts at obfuscation, diversion, and randomness, humans still must instantiate, operate, and\r\ndecommission digital infrastructure. Those humans, even if they rely upon technology to create randomization,\r\nalmost always will follow some sort of pattern whether it be similar Autonomous Systems, geolocations, hosting\r\nproviders, software, port distributions or certificate characteristics. If defenders can pick up on these patterns,\r\nmuch the same way that Soldiers in World War 2 picked up on Morse code operators’ “fists” or communication\r\npersonalities, they have a chance at staying one step ahead of threat actors.\r\nMethodology\r\nCensys used parsed fields to accurately search for the IOCs, trends, patterns, and other indicators mentioned in the\r\nAdvisory or found over the course of investigation. Censys used historical profiles of hosts to investigate Censys’\r\nperspective at points in time to corroborate IOCs with timeframes listed in the Advisory as well as observations\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 5 of 6\n\nthat seemed to match the profiles of IOC hosts, yet were outside of the timeframe listed in the Advisory, possibly\r\nindicating a timeframe of staging or nefarious activity not observed previously.\r\nCensys used a link diagram analysis to identify similarities, patterns, and trends across IOCs, hosts, certificates,\r\nAutonomous Systems, and various other parsed fields from Censys’ scan dataset.\r\n[1] https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf\r\nAUTHOR\r\nMatt Lembright\r\nGlobal Lead of Censys Data / Search\r\nMatt Lembright is the Global Lead of Data and Search at Censys. Matt has been in cybersecurity for over 11\r\nyears, starting in the Army as an intelligence officer, helping build the Army Cyber Opposing Forces and\r\nUSCYBERCOM’s Cyber Mission Forces.\r\nSource: https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nhttps://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/" ], "report_names": [ "analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs" ], "threat_actors": [ { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434029, "ts_updated_at": 1775792008, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07d89b2e55523f0118e6d684092b7fb8b7c99787.pdf", "text": "https://archive.orkl.eu/07d89b2e55523f0118e6d684092b7fb8b7c99787.txt", "img": "https://archive.orkl.eu/07d89b2e55523f0118e6d684092b7fb8b7c99787.jpg" } }