2020-02-16 Fox Kitten – Widespread Iranian Espionage-Offensive Campaign| Threat Intelligence Malaysia

📃Title: Fox Kitten – Widespread Iranian Espionage-Offensive Campaign
📅Date: 2020-02-16
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

threat-actor= Fox-Kitten
target-information=“Australia”
target-information=“Austria”
target-information=“Finland”
target-information=“France”
target-information=“Germany”
target-information=“Hungary”
target-information=“Israel”
target-information=“Italy”
target-information=“Kuwait”
target-information=“Lebanon”
target-information=“Malaysia”
target-information=“Poland”
target-information=“Saudi Arabia”
target-information=“United Arab Emirates”
target-information=“United States”
malpedia=“JuicyPotato”
mitre-enterprise-attack-tool=“Mimikatz - S0002”
mitre-tool=“Mimikatz - S0002”
country=“iran”
mitre-attack-pattern=[‘T1136’, ‘T1081’, ‘T1094’, ‘T1002’, ‘T1074’, ‘T1068’, ‘T1133’, ‘T1105’, ‘T1046’, ‘T1075’, ‘T1086’, ‘T1090’, ‘T1076’, ‘T1021’, ‘T1064’, ‘T1065’, ‘T1102’, ‘T1100’, ‘T1059’, ‘T1003’]

MISP event uuid: 7463105c-9e41-4f9e-af45-eab5b7b3ef96

Indicator of Compromise (IoCs)

type,value,comment
md5, 0f7d3d33d7235b13d0fac4329e0d2420, 'Webshell – ASPX file (cmd.aspx)'
md5, 41cda77c69614a0fbfcc4a38ebae659b, 'Webshell – ASPX files'
md5, 6fea7a30b2bd6014c1b15defe8963273, 'Webshell – ASPX files'
md5, a84549691a492ad081bf177b6c4518b0, 'Juicy Potato - Local Privilege Escalation tool'
md5, 808502752ca0492aca995e9b620d507b, 'Juicy Potato - Local Privilege Escalation tool'
md5, 01a9293fb10985204a4278006796ea3f, 'Port.exe'
md5, a87d59456f323bd373cb958273dfe8bb, 'Invoke the Hash - Invoke-SMBClient.ps1'
md5, b4fcb52673089caf3e6e76379f2604d8, 'Invoke the Hash - Invoke-SMBEnum.ps1'
md5, 31b431df84eaf71848c8b172c40124ec, 'Invoke-SMBExec.ps1'
md5, 0c4db17ed145310f336ab4887914f80c, 'Invoke-TheHash.ps1'
md5, 836d61745e087e6017832233701218a4, 'Invoke-TheHash.psd1'
md5, 54af54c9e0aa4b26c4be803c44c5f473, 'Invoke-TheHash.psm1'
md5, b63de834ab7cc8fcd0e71003c6786213, 'Invoke-WMIExec.ps1'
md5, 783dc28185837c8e66dca34e9a519c7c, 'RDP over SSH (SSHNET) Backdoor'
md5, 29fb089328e78f67ff86739583a9e63a, 'RDP over SSH (SSHNET) Backdoor'
md5, f064ff619ebf67a59566c0dd54c5d05c, 'RDP over SSH (SSHNET) Backdoor'
md5, 475f89de6031db2158231eafa07b8b72, 'SOCKET-Based Backdoor (cs.exe)'
md5, cfcbb6472cac07ea138379578d80845b, 'Console Application Backdoor'
md5, 155837e476b50c93b6522b310a684a33, 'Console Application Backdoor'
md5, cb84fc4682a74ba81ef477bc1359959b, 'Console Application Backdoor'
md5, 9dc9bbd0c6b0a946489ccd8793d22f28, 'Webshell – GIF file No sample in VT\r\nLast check:25/02/2025'
md5, ac9993f1124d404a08531df9a0ae28c9, 'Combine.bat No sample in VT\r\nLast check:25/02/2025'
md5, 95ee534f32f305a895a1842898a4880e, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 62de35201acc8833e04221d9343e73e0, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 7819bf37930edcdbb74b0535bc12558c, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 06d882d4c601a086f3b0f13d5f756830, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 5def1ab33ddf4455aaf8b7b70ad69e04, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 3741f987c9bd14263ffb4824dce8c147, 'Down VBS No sample in VT\r\nLast check:25/02/2025'
md5, 5c9d14c8eef4e9b8c0b4bd0d28c5a77a, 'Down VBS No sample in VT\r\nLast check:25/02/2025'
md5, 94a47463e0b8d52aec5e90a5177e0a9b, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 54603feea3c4f3585011a5940c2f6b6f, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 3587cabf61366a7b5f0ba0d63d009b36, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, f9103618c1b86e073b89ce28ba2679cc, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 5c67064f8fd83fdcceab49728495c3f4, 'LPManager (Schtask) No sample in VT\r\nLast check:25/02/2025'
md5, 364f57928fc5fb0019b73f3fbd57f99b, 'STSRCHECK No sample in VT\r\nLast check:25/02/2025'
ip-dst, 18.221.150.202, 'Not Unique – Non-Malicious - Ngrok'
ip-dst, 185.32.178.176, 'Not Unique – Non-Malicious - Webshell'
ip-dst, 93.177.75.180, 'Unique – Malicious IP - C&C Rotten Fish'
ip-dst, 95.211.210.55, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.213.168, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.213.177, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.104.253, 'Unique – Malicious IP - C&C communication SOCKET'

Full IOCs available in Rectifyq’s MISP

Rectifyq

Explorer

2020-02-16 Fox Kitten – Widespread Iranian Espionage-Offensive Campaign

Indicator of Compromise (IoCs)

🔴 Latest Relevant 🇲🇾 Threat Articles

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

2026-04-21 GhostCargo, a 5-years campaign

Graph View