--- title: "Iran sponsored ‘Fox Kitten’ threat group targeting vital US organizations for ransomware attacks | Phish Protection" description: "Iran sponsored" image: "https://phishprotection.com/og/blog/iran-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations.png" canonical: "https://phishprotection.com/blog/iran-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations/" --- Quick Answer The Fox Kitten threat group is creating ripples in the cyber world. The threat actors are proactively attacking prominent USA-based organizations. As per the investigations by the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the Fox Kitten group is being sponsored. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firan-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Iran%20sponsored%20%E2%80%98Fox%20Kitten%26%238217%3B%20threat%20group%20targeting%20vital%20US%20organizations%20for%20ransomware%20attacks&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firan-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Firan-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firan-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations%2F&title=Iran%20sponsored%20%E2%80%98Fox%20Kitten%26%238217%3B%20threat%20group%20targeting%20vital%20US%20organizations%20for%20ransomware%20attacks "Share on Reddit") [ ](mailto:?subject=Iran%20sponsored%20%E2%80%98Fox%20Kitten%26%238217%3B%20threat%20group%20targeting%20vital%20US%20organizations%20for%20ransomware%20attacks&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Firan-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2024/09/phishing-prevention-tips-7689.jpg) The \*\* Fox Kitten threat group\*\* is creating ripples in the cyber world. The threat actors are proactively attacking prominent USA-based organizations. As per the investigations by the US[Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a)and the FBI, the Fox Kitten group is being sponsored by Iran to carry out these malicious cyberattacks against the USA. Currently, the threat actors have decent access across different sectors such as**defense, finance, education, and healthcare**. After studying their activities closely, the[cybersecurity](/cybersecurity/malicious-actors-embrace-ai-chatbots-for-advanced-cyber-attacks)experts have come to the conclusion that the Fox Kitten group has been trying to monetize their access across all these US-based industries . However, this[threat campaign](https://www.darkreading.com/threat-intelligence/threat-group-bling-libra-extortion-cloud-attacks)is completely different from what Fox Kitten has been trying to achieve in Israel, the US, and Azerbaijan . The latter involves cyberattacks to steal vital**technical data**from multiple organizations across these nations. ![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2024/09/phishing-prevention-tips-7689.jpg) ### Getting into the details The FBI and the CISA are working closely on**Fox Kitten cyberattacks**. They have warned against Fox Kitten’s advances as an attempt to gain deeper access to ‘victim networks’ in order to facilitate ransomware attacks in the near future. Danesh Novin Sahand, an Iranian company, is the prime suspect at the moment. Both the[FBI](https://www.fbi.gov/investigate/cyber)and CISA believe that the Fox Kitten threat group operates and carries out their day-to-day cyber activities under the cover of Danesh Novin Sahand . Different cybersecurity groups have been keeping tabs on Fox Kitten’s activities and labeling the**threat group with different names**, such as UC757, Pioneer Kitten, Rubidium, Lemon Sandstorm, and Parisite. ![Anti phishing service](https://media.mailhop.org/phishprotection/images/2024/09/anti-phishing-service-0321.jpg) [Crowdstrike](https://www.crowdstrike.com/blog/who-is-pioneer-kitten/)believes that Fox Kitten started operating in 2017. In 2020, it grabbed attention when Crowdstrike noticed Fox Kitten’s attempts to sell out compromised networks on **underground forums** . At that time, it was not clear if Iran was involved in this activity. Then, in 2021,[Microsoft](https://www.darkreading.com/threat-intelligence/cyber-conflict-between-us-and-iran-heats-up)pin-pointed Fox Kitten as one of the**leading state-backed** [cyber threat](/advanced-threat-protection/4-common-cyber-threats-business-face-2022)groups. As per the findings of the CISA and the FBI, Fox Kitten has joined hands with multiple[ransomware](https://therecord.media/agencies-warn-against-ransomhub-group)strain operators like**Ransomhouse, NoEscape, and ALPHV**. The core idea is to provide the former with access to vulnerable or compromised networks and earn a certain percentage on collected ransoms . In several instances, Fox Kitten has worked together with ransomware affiliates to exploit victim networks and create strategies for ransom extortion . ### Ongoing threat campaigns against the USA > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle At present, the Fox Kitten threat group is aiming at exploiting[VPN device vulnerabilities](https://www.techtarget.com/searchsecurity/news/366602396/Akamai-warns-enterprises-that-VPN-attacks-will-only-increase). The**ultimate game**plan of the threat group is to collect[login credentials](/phishing-awareness/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization), come up with rogue accounts, implement Web shells, load malware, and so on. Certain organizations haven’t yet come up with the right remedies to fix these vulnerabilities, and that’s exactly why Fox Kitten is conveniently carrying out its \_ **_attacking campaigns_**. It is the need of the hour for**global organizations**to start taking cybersecurity seriously. In view of the current situation, all US-based organizations must fix their[network vulnerabilities](https://www.bleepingcomputer.com/news/security/versa-fixes-director-zero-day-vulnerability-exploited-in-attacks/)and strengthen their[phishing protection](/)as soon as possible. Additionally, adding multiple layers of cybersecurity , backed by regular cybersecurity training sessions for employees, will be beneficial in the long run. ## Topics [ Cybersecurity ](/tags/cybersecurity/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 3m 13,000 Singapore-based students affected as a threat actor hacked into their devices! Aug 16, 2024 ](/blog/13000-singapore-based-students-affected-as-a-threat-actor-hacked-into-their-devices/)[ Intermediate 3m The 2024 Multi-Nation Elections Need to Steer Clear of Highly Potent Cyber Menaces May 9, 2024 ](/blog/2024-multi-nation-elections-cyber-threats-stay-vigilant/)[ Intermediate 6m 7 Commonly Overlooked But Crucial Security Threats That You Might be Ignoring Feb 6, 2023 ](/blog/7-commonly-overlooked-but-crucial-security-threats-that-you-might-be-ignoring/)[ Intermediate 17m 9+ Cybersecurity Software Solutions For Businesses To Use May 30, 2022 ](/blog/9-cybersecurity-software-solutions-businesses/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Iran sponsored ‘Fox Kitten’ threat group targeting vital US organizations for ransomware attacks","description":"Iran sponsored 'Fox Kitten’ threat group targeting vital US organizations for ransomware attacks: The Fox Kitten threat group is creating ripples in.","url":"https://phishprotection.com/blog/iran-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations/","datePublished":"2024-09-04T08:52:32.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2024-09-04T08:52:32.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/iran-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations/"},"articleSection":"intermediate","keywords":"Cybersecurity","wordCount":587,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2024/09/phishing-prevention-tips-7689.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Iran sponsored ‘Fox Kitten’ threat group targeting vital US organizations for ransomware attacks","item":"https://phishprotection.com/blog/iran-sponsored-fox-kitten-threat-group-targeting-vital-us-organizations/"}]} ```