{ "id": "cbac38cd-c41e-4251-912e-0631fc62f5a8", "created_at": "2026-04-06T00:22:22.105256Z", "updated_at": "2026-04-10T03:37:36.60492Z", "deleted_at": null, "sha1_hash": "c85ee6fab483929a087e59a11d299dd597c69570", "title": "FBI says an Iranian hacking group is attacking F5 networking devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722709, "plain_text": "FBI says an Iranian hacking group is attacking F5 networking\r\ndevices\r\nBy Catalin Cimpanu\r\nPublished: 2020-08-10 · Archived: 2026-04-05 21:04:54 UTC\r\nA group of elite hackers associated with the Iranian government has been detected attacking the US private and\r\ngovernment sector, according to a security alert sent by the FBI last week.\r\nWhile the alert, called a Private Industry Notification, didn't identify the hackers by name, sources have\r\ntold ZDNet that the group is tracked by the larger cyber-security community under codenames such as Fox\r\nKitten or Parisite.\r\nIran's cyber operations \"spear tip\"\r\nA former government cyber-security analyst, now working for a private security firm, called the group as Iran's\r\n\"spear tip\" when it comes to cyber-attacks.\r\nHe described the group's primary task as having to provide an \"initial beachead\" to other Iranian hacking groups\r\n— such as APT33 (Shamoon), Oilrig (APT34), or Chafer.\r\nTo reach its goals, Fox Kitten primarily operates by attacking high-end and expensive network equipment using\r\nexploits for recently disclosed vulnerabilities, before companies had enough time to patch devices. Due to the\r\nnature of the devices they attack, targets primarily include large private corporations and government networks.\r\nhttps://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/\r\nPage 1 of 3\n\nOnce the hackers gain access to a device, they install a web shell or backdoor, transforming the equipment into a\r\ngateway into the hacked network.\r\nAccording to reports published by cyber-security firms ClearSky and Dragos earlier this year, Fox Kitten has been\r\nusing this modus operandi since the summer of 2019, when it began heavily targeting vulnerabilities such as:\r\nPulse Secure \"Connect\" enterprise VPNs (CVE-2019-11510)\r\nFortinet VPN servers running FortiOS (CVE-2018-13379)\r\nPalo Alto Networks \"Global Protect\" VPN servers (CVE-2019-1579)\r\nCitrix \"ADC\" servers and Citrix network gateways (CVE-2019-19781)\r\nFBI warns of new attacks targeting F5 BIG-IP devices\r\nThe FBI notification sent out to the US private sector last week says the group still targets these vulnerabilities,\r\nbut Fox Kitten also upgraded its attack arsenal to include an exploit for CVE-2020-5902, a vulnerability disclosed\r\nin early July that impacts BIG-IP, a very popular multi-purpose networking device manufactured by F5 Networks.\r\nThe FBI doesn't call the group by its public names, but makes references to their past attacks against Pulse Secure\r\nVPNs and Citrix gateways, and also warns companies that once the hackers gain access to their networks, they are\r\nvery likely to provide access to other Iranian groups, or monetize networks that aren't useful for espionage by\r\ndeploying ransomware.\r\nFBI officials also warn that this group isn't targeting any particular sector, and any company running a BIG-IP\r\ndevice is likely to be targeted.\r\nWhile the FBI asked US companies to patch their on-premise BIG-IP devices to prevent successful intrusions, FBI\r\nofficials also shared details about a typical Fox Kitten attack, so companies can deploy countermeasures and\r\ndetection rules. These details are similar to what ClearSky detailed in their February 2020 report.\r\n\"Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish\r\npersistence on the server through webshells. The actors conduct internal reconnaissance post-exploitation using\r\ntools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the\r\nnetwork, and Juicy Potato for privilege escalation. The actors create new users while on the network [...]\"\r\nThe actors use several applications for command and control (C2) while exploiting victim networks, including\r\nChisel (C2 tunnel), ngrok, Plink, and SSHNET (reverse SSH shell). When tracking suspected C2 activity, the FBI\r\nadvises that C2 activity with ngrok may be with external infrastructure associated with ngrok.\"\r\nTwo confirmed victims\r\nBut while the FBI alert doesn't say it, sources have told ZDNet that Fox Kitten attacks against BIG-IP devices\r\nhave been successful.\r\nA security researcher working for a US cyber-security firm told ZDNet that the FBI sent out the PIN alert last\r\nweek after agents were called to investigate two successful intrusions where Fox Kitten hackers managed to\r\nbreach US companies.\r\nhttps://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/\r\nPage 2 of 3\n\nDue to non-disclosure agreements, the source could not identify the two companies, nor could they confirm these\r\nare the same \"two compromises\" mentioned in a similar alert sent out by the Department of Homeland Security's\r\nCybersecurity and Infrastructure Security Agency (DHS CISA) on July 24.\r\nEither way, Iran's state-sponsored hacking groups aren't the only threat actors that have targeted the BIG-IP\r\nvulnerability.\r\nMultiple hacker groups began exploiting this bug within two days after details and proof-of-concept exploits\r\nbecame public, and in recent weeks, an exploit for the BIG-IP bug has even been spotted part of a Mirai-based\r\nDDoS botnet.\r\nSource: https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/\r\nhttps://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/" ], "report_names": [ "fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c85ee6fab483929a087e59a11d299dd597c69570.pdf", "text": "https://archive.orkl.eu/c85ee6fab483929a087e59a11d299dd597c69570.txt", "img": "https://archive.orkl.eu/c85ee6fab483929a087e59a11d299dd597c69570.jpg" } }