Threat Intelligence Tarot
Vol. II · 96
Iran (IRGC - contractor network)
G0117★★★★★
risk 4/5
✦ The Gate Merchant ✦
Pioneer Kitten
Fox Kitten · UNC757 · Parisite · RUBIDIUM
GovernmentDefenseTechnologyHealthcareUS and Israeli organizations
Active since ~2017 · Espionage, Access brokering, Ransomware facilitation
The Gate Merchant does not desire what lies beyond the door but the door itself, selling access to the highest bidder while collecting intelligence for state patrons. It operates at the intersection of crime and espionage.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Mass VPN exploitation campaign (Pulse Secure, Fortinet, Citrix 2019-2020)
- ◆Collaboration with ransomware affiliates for revenue sharing
- ◆FBI/CISA advisory on US election infrastructure targeting
- ◆Israeli critical infrastructure attacks
Defenses
- ▸Emergency patching process for remote access appliances (VPN, Citrix, Pulse) within 48 hours of critical CVECIS Control 7 ↗
- ▸Phishing-resistant MFA on all VPN and remote access authenticationNIST CSF: PR.AC ↗
- ▸Network traffic anomaly detection for lateral movement via RDPNIST CSF: DE.CM ↗
- ▸Threat intelligence subscription for known Iran-nexus C2 infrastructureCIS Control 17 ↗
Reversed: Their Weakness
Its business model depends entirely on unpatched VPN and remote access vulnerabilities. Organizations that patched CVEs within days of the Pulse Secure and Fortinet advisories found no gate for the merchant to sell.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.