CURIUM
Aliases: Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.
Open interactive actor investigation
ATT&CK techniques
T1566.003
Spearphishing via ServiceT1505.003
Web ShellT1204.002
Malicious FileT1584.006
Web ServicesT1583.003
Virtual Private ServerT1082
System Information DiscoveryT1608.004
Drive-by TargetT1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1005
Data from Local SystemT1585.001
Social Media AccountsT1585.002
Email AccountsT1124
System Time DiscoveryT1598.003
Spearphishing LinkT1189
Drive-by CompromiseT1566.001
Spearphishing AttachmentT1059.001
PowerShellT1583.001
DomainsT1041
Exfiltration Over C2 ChannelT1583.004
Server
Spearphishing via ServiceT1505.003
Web ShellT1204.002
Malicious FileT1584.006
Web ServicesT1583.003
Virtual Private ServerT1082
System Information DiscoveryT1608.004
Drive-by TargetT1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1005
Data from Local SystemT1585.001
Social Media AccountsT1585.002
Email AccountsT1124
System Time DiscoveryT1598.003
Spearphishing LinkT1189
Drive-by CompromiseT1566.001
Spearphishing AttachmentT1059.001
PowerShellT1583.001
DomainsT1041
Exfiltration Over C2 ChannelT1583.004
Server
Correlated CTI and IR reports
Imperial Kitten Deploys Novel Malware Families in Middle East-Focused Operations
CrowdStrike · direct source mappingYellow Liderc ships its scripts and delivers IMAPLoader malware
PwC · direct source mappingAI in Offensive Operations: How Threat Actors Use Artificial Intelligence
1200km CTI repository · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionCURIUM G1012
MITRE ATT&CK · actor context
CrowdStrike · direct source mappingYellow Liderc ships its scripts and delivers IMAPLoader malware
PwC · direct source mappingAI in Offensive Operations: How Threat Actors Use Artificial Intelligence
1200km CTI repository · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionCURIUM G1012
MITRE ATT&CK · actor context