🐱

Pioneer Kitten

Aliases

Lemon Sandstorm, RUBIDIUM

Tags

State-SponsoredRansomOps

Attribution

🇮🇷

References

https://sysdig.com/blog/sysdig-threat-bulletin-iranian-cyber-threats/https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Last edited

Jun 24, 2025 10:50 AM

Status

Finalized

Cloud-fluent

Targeted geography

Middle EastUnited States/North America

Targeted industries

FinanceHealthcare/MedicalMilitaryEducation

Pioneer Kitten is an Iranian state-sponsored cyber threat group active since at least 2017. Known for collaborating with ransomware affiliates, the group has targeted organizations in the education, finance, healthcare, defense, and government sectors—primarily in the U.S., Israel, the U.A.E., and Azerbaijan.

Pioneer Kitten functions as an initial access broker, exploiting vulnerabilities in VPNs and network appliances—including Citrix NetScaler, F5 BIG-IP, and Pulse Secure—to gain footholds. Once access is established, they deploy persistent web shells and sell access to ransomware operators such as BlackCat/ALPHV, NoEscape, and RansomHouse.

The group is known for concealing web shells in obscure file paths (e.g., /var/vpn/themes/imgs/) to survive system reboots and updates. They typically avoid dropping malicious binaries, instead relying on fileless techniques like inline Bash command execution to remain undetected.

Pioneer Kitten extensively uses “living-off-the-land” tools such as ligolo, socat, and proxychains, alongside post-exploitation frameworks including Havoc, MeshCentral, and bespoke C2 binaries. These tools are deployed across both Linux and cloud environments.

After initial compromise, the group uses SSH tunnels, proxy tools (e.g., ngrok, ligolo), and compromised Linux hosts to pivot into Windows or cloud infrastructure. These access points are leveraged either for direct espionage or sold for use in ransomware operations.