{ "id": "20aad79e-4d1a-41c2-9454-89e3c30c0ed0", "created_at": "2026-04-06T00:19:33.370682Z", "updated_at": "2026-04-10T13:11:32.198139Z", "deleted_at": null, "sha1_hash": "b036d3911079f41830018b344184b28a9079a632", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117856, "plain_text": "Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA\r\nPublished: 2020-09-15 · Archived: 2026-04-05 13:31:34 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from\r\nthe Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor\r\ntargeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of\r\ncompromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known\r\nby the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known\r\nCommon Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix\r\nNetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted\r\nnetworks and then maintained access within the successfully exploited networks for several months using multiple\r\nmeans of persistence.\r\nThis Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network\r\ndefenders identify a potential compromise of their network and protect their organization from future attacks.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several\r\nindustries mainly associated with information technology, government, healthcare, financial, insurance, and media\r\nsectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to\r\nidentify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN\r\ninfrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor\r\nexploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-\r\n5902.\r\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and\r\ninstalls web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to\r\nbe maintaining persistence and exfiltrating data. This threat actor has been observed selling access to\r\ncompromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor\r\noperates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve\r\nthe threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to\r\ndeploy ransomware on victim networks.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 1 of 9\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on\r\ninternet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source\r\nand operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight\r\nDirectory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and\r\nChina Chopper.\r\nTable 1 illustrates some of the common tools this threat actor has used.\r\nTable 1: Common exploit tools\r\nTool Detail\r\nChunkyTuna\r\nweb shell\r\nChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that\r\ntunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for\r\nreverse connections to a server with the intent to exfiltrate data.\r\nTiny web shell\r\nTiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow\r\na threat actor remote access to the system and can also tunnel or route traffic.\r\nChina Chopper\r\nweb shell\r\nChina Chopper is a web shell hosted on a web server and is mainly used for web\r\napplication attacks; it is configured in a client/server relationship. China Chopper contains\r\nsecurity scanners and can be used to upload files and brute-force passwords.\r\nFRPC\r\nFRPC is a modified version of the open-source FRP tool. It allows a system—inside a\r\nrouter or firewall providing Network Address Translation—to provide network access to\r\nsystems/operators located outside of the victim network. In this case, FRPC was used as\r\nreverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security\r\n(TLS), giving the threat actor primary persistence.\r\nChisel\r\nChisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single\r\nexecutable that includes both client and server. The tool is useful for passing through\r\nfirewalls, but it can also be used to provide a secure form of communication to an endpoint\r\non a victim network.\r\nngrok\r\nngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured\r\nwith TLS.\r\nNmap Nmap is used for vulnerability scanning and network discovery.\r\nAngry IP\r\nScanner\r\nAngry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to\r\ncheck if they are active and can also resolve hostnames, scan ports, etc.\r\nDrupwn\r\nDrupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal\r\ndevices.\r\nNotable means of detecting this threat actor:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 2 of 9\n\nCISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443\r\nconnections to external cloud-based infrastructure.\r\nThe threat actor uses FRPC over port 7557.\r\nMalware Analysis Report MAR-10297887-1.v1 details some of the tools this threat actor used against\r\nsome victims.\r\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has\r\nbeen compromised by this attacker exploiting CVE-2019-19781.\r\nTiny web shell\r\n /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php\r\n /netscaler/ns_gui/vpn/images/vpn_ns_gui.php\r\n /var/vpn/themes/imgs/tiny.php\r\nChunkyTuna web shell\r\n /var/vpn/themes/imgs/debug.php\r\n /var/vpn/themes/imgs/include.php\r\n /var/vpn/themes/imgs/whatfile\r\nChisel\r\n /var/nstmp/chisel\r\nMITRE ATT\u0026CK Framework\r\nInitial Access\r\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for\r\nCVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal\r\nnetwork server.\r\nTable 2: Initial access techniques\r\nID\r\nTechnique/Sub-Technique\r\nContext\r\nT1190 Exploit Public-Facing Application\r\nThe threat actor primarily gained initial access by compromising a Citrix\r\nNetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-\r\n11539, and CVE-2020-5902.\r\nExecution\r\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 3 of 9\n\nTable 3: Execution techniques\r\nID Technique/Sub-Technique Context\r\nT1059.001 Command and Scripting Interpreter:\r\nPowerShell\r\nA PowerShell script ( keethief and kee.ps1 )\r\nwas used to access KeePass data.\r\nT1059.003 Command and Scripting Interpreter:\r\nWindows Command Shell\r\ncmd.exe was launched via sticky keys that was\r\nlikely used as a password changing mechanism.\r\nPersistence\r\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\r\nTable 4: Persistence techniques\r\nID\r\nTechnique/Sub-Technique\r\nContext\r\nT1053.003 Scheduled Task/Job:\r\nCron\r\nThe threat actor loaded a series of scripts to cron and ran them\r\nfor various purposes (mainly to access NetScaler web forms).\r\nT1053.005 Scheduled Task/Job:\r\nScheduled Task\r\nThe threat actor installed and used FRPC ( frpc.exe ) on both\r\nNetScaler and internal devices. The task was named lpupdate\r\nand the binary was named svchost , which was the reverse proxy.\r\nThe threat actor executed this command daily.\r\nT1505.003 Server Software\r\nComponent: Web Shell\r\nThe threat actor used several web shells on existing web servers.\r\nBoth NetScaler and web servers called out for ChunkyTuna.\r\nT1546.008\r\nEvent Triggered\r\nExecution: Accessibility\r\nFeatures\r\nThe threat actor used sticky keys ( sethc.exe ) to launch\r\ncmd.exe .\r\nPrivilege Escalation\r\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator\r\ncredentials on the NetScaler device via exploit and continued to expand credential access on the network.\r\nDefense Evasion\r\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\r\nTable 5: Defensive evasion techniques\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 4 of 9\n\nID\r\nTechnique/Sub-Technique\r\nContext\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nThe threat actor used base64 encoding for payloads on NetScaler\r\nduring initial access, making the pre-compiled payloads easier to\r\navoid detection.\r\nT1027.004\r\nObfuscated Files or\r\nInformation: Compile\r\nAfter Delivery\r\nThe threat actor used base64 encoding schemes on distributed\r\n(uncompiled) scripts and files to avoid detection.\r\nT1036.004\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nThe threat actor used FRPC ( frpc.exe ) daily as reverse proxy,\r\ntunneling RDP over TLS. The FRPC ( frpc.exe ) task name was\r\nlpupdate and ran out of Input Method Editor (IME) directory. In\r\nother events, the threat actor has been observed hiding activity via\r\nngrok.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nThe FRPC ( frpc.exe ) binary name was svchost , and the\r\nconfiguration file was dllhost.dll , attempting to masquerade as\r\na legitimate Dynamic Link Library.\r\nT1070.004 Indicator Removal on\r\nHost: File Deletion\r\nTo minimize their footprint, the threat actor ran ./httpd-nscache_clean every 30 minutes, which cleaned up files on the\r\nNetScaler device.\r\nCredential Access\r\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\r\nTable 6: Credential access techniques\r\nID Technique/Sub-Technique Context\r\nT1003.001 OS Credential Dumping:\r\nLSASS Memory\r\nThe threat actor used procdump to dump process memory\r\nfrom the Local Security Authority Subsystem Service\r\n(LSASS).\r\nT1003.003\r\nOS Credential Dumping:\r\nWindows NT Directory\r\nServices (NTDS)\r\nThe threat actor used Volume Shadow Copy to access\r\ncredential information from the NTDS file.\r\nT1552.001 Unsecured Credentials:\r\nCredentials in Files\r\nThe threat actor accessed files containing valid credentials.\r\nT1555\r\nCredentials from Password\r\nStores\r\nThe threat actor accessed a KeePass database multiple\r\ntimes and used kee.ps1 PowerShell script.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 5 of 9\n\nID Technique/Sub-Technique Context\r\nT1558\r\nSteal or Forge Kerberos\r\nTickets\r\nThe threat actor conducted a directory traversal attack by\r\ncreating files and exfiltrating a Kerberos ticket on a\r\nNetScaler device. The threat actor was then able to gain\r\naccess to a domain account.\r\nDiscovery\r\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim\r\nenvironments.\r\nTable 7: Discovery techniques\r\nID\r\nTechnique/Sub-Technique\r\nContext\r\nT1018 Remote System\r\nDiscovery\r\nThe threat actor used Angry IP Scanner to detect remote systems.\r\nT1083 File and Directory\r\nDiscovery\r\nThe threat actor used WizTree to obtain network files and directory\r\nlistings.\r\nT1087\r\nAccount Discovery\r\nThe threat actor accessed ntuser.dat and UserClass.dat and used\r\nSofterra LDAP Browser to browse documentation for service accounts.\r\nT1217 Browser Bookmark\r\nDiscovery\r\nThe threat actor used Google Chrome bookmarks to find internal\r\nresources and assets.\r\nLateral Movement\r\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement.\r\nCISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim\r\nenvironment.\r\nTable 8: Lateral movement techniques\r\nID Technique/Sub-Technique Context\r\nT1021 Remote Services\r\nThe threat actor used RDP with valid account credentials for\r\nlateral movement in the environment.\r\nT1021.001 Remote Services: Remote\r\nDesktop Protocol\r\nThe threat actor used RDP to log in and then conduct lateral\r\nmovement.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 6 of 9\n\nID Technique/Sub-Technique Context\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nThe threat actor used PsExec. and PSEXECSVC pervasively\r\non several hosts. The threat actor was also observed using a\r\nvalid account to access SMB shares.\r\nT1021.004\r\nRemote Services: SSH\r\nThe threat actor used Plink and PuTTY for lateral movement.\r\nArtifacts of Plink were used for encrypted sessions in the\r\nsystem registry hive. \r\nT1021.005 Remote Services: Virtual\r\nNetwork Computing (VNC)\r\nThe threat actor installed TightVNC server and client\r\npervasively on compromised servers and endpoints in the\r\nnetwork environment as lateral movement tool.\r\nT1563.002 Remote Service Session\r\nHijacking: RDP Hijacking\r\nThe threat actor likely hijacked a legitimate RDP session to\r\nmove laterally within the network environment.\r\nCollection\r\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim\r\nenvironment.\r\nTable 9: Collection techniques\r\nID Technique/Sub-Technique Context\r\nT1005 Data from Local System\r\nThe threat actor searched local system sources to accessed\r\nsensitive documents.\r\nT1039\r\nData from Network Shared\r\nDrive\r\nThe threat actor searched network shares to access sensitive\r\ndocuments.\r\nT1213\r\nData from Information\r\nRepositories\r\nThe threat actor accessed victim security/IT monitoring\r\nenvironments, Microsoft Teams, etc., to mine valuable\r\ninformation.\r\nT1530\r\nData from Cloud Storage\r\nObject\r\nThe threat actor obtained files from the victim cloud storage\r\ninstances.\r\nT1560.001 Archive Collected Data:\r\nArchive via Utility\r\nThe threat actor used 7-Zip to archive data.\r\nCommand and Control\r\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\r\nTable 10: Command and control techniques\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 7 of 9\n\nID\r\nTechnique/Sub-Technique\r\nContext\r\nT1071.001 Application Layer\r\nProtocol: Web Protocols\r\nThe threat actor used various web mechanisms and protocols,\r\nincluding the web shells listed in table 1.\r\nT1105 Ingress Tool Transfer\r\nThe threat actor downloaded tools such as PsExec directly to\r\nendpoints and downloaded web shells and scripts to NetScaler in\r\nbase64-encoded schemes.\r\nT1572 Protocol Tunneling\r\nThe threat actor used FRPC.exe to tunnel RDP over port 443.\r\nThe threat actor has also been observed using ngrok for\r\ntunneling.\r\nExfiltration\r\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the\r\nuse of 7-Zip and viewing of sensitive documents.\r\nMitigations\r\nRecommendations\r\nCISA and FBI recommend implementing the following recommendations.\r\nIf your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is\r\nsuspected, follow the recommendations in CISA Alert AA20-031A.\r\nThis threat actor has been observed targeting other CVEs mentioned in this report; follow the\r\nrecommendations in the CISA resources provided below.\r\nIf using Windows Active Directory and compromise is suspected, conduct remediation of the compromised\r\nWindows Active Directory forest.\r\nIf compromised, rebuild/reimage compromised NetScaler devices.\r\nRoutinely audit configuration and patch management programs.\r\nMonitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g.,\r\nSSH, SMB, RDP).\r\nImplement multi-factor authentication, especially for privileged accounts.\r\nUse separate administrative accounts on separate administration workstations.\r\nImplement the principle of least privilege on data access.\r\nSecure RDP and other remote access solutions using multifactor authentication and “jump boxes” for\r\naccess.\r\nDeploy endpoint defense tools on all endpoints; ensure they work and are up to date.\r\nKeep software up to date.\r\nContact Information\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 8 of 9\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov . When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\ncentral@cisa.dhs.gov .\r\nResources\r\nCISA Alert AA20-031A: Detecting Citrix CVE-2019-19781\r\nCISA Alert AA20-073A: Enterprise VPN Security\r\nCISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching\r\nCISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\r\nCISA Security Tip: Securing Network Infrastructure Devices\r\nRevisions\r\nSeptember 15, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-259a" ], "report_names": [ "aa20-259a" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434773, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b036d3911079f41830018b344184b28a9079a632.pdf", "text": "https://archive.orkl.eu/b036d3911079f41830018b344184b28a9079a632.txt", "img": "https://archive.orkl.eu/b036d3911079f41830018b344184b28a9079a632.jpg" } }