Threat Actor Profile
High APT
Description

CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Confidence Score
90%
Known Aliases
CURIUM Crimson Sandstorm TA456 Tortoise Shell Yellow Liderc
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (19)
T1005 - Data from Local System
Collection
T1082 - System Information Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1059.001 - PowerShell
Execution
T1204.002 - Malicious File
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1048.002 - Exfiltration Over Asymmetric Encrypted …
Exfiltration
T1189 - Drive-by Compromise
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1505.003 - Web Shell
Persistence
T1598.003 - Spearphishing Link
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1583.004 - Server
Resource Development
T1584.006 - Web Services
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1608.004 - Drive-by Target
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['CURIUM',
             'Crimson Sandstorm',
             'TA456',
             'Tortoise Shell',
             'Yellow Liderc'],
 'created': '2023-01-13T20:51:13.494Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian '
                'threat group, first reported in September 2019 and active '
                'since at least July 2018, targeting IT service providers in '
                'the Middle East.(Citation: Symantec Tortoiseshell 2019) '
                '[CURIUM](https://attack.mitre.org/groups/G1012) has since '
                'invested in building relationships with potential targets via '
                'social media over a period of months to establish trust and '
                'confidence before sending malware. Security researchers note '
                '[CURIUM](https://attack.mitre.org/groups/G1012) has '
                'demonstrated great patience and persistence by chatting with '
                'potential targets daily and sending benign files to help '
                'lower their security consciousness.(Citation: Microsoft '
                'Iranian Threat Actor Trends November 2021)',
 'external_references': [{'external_id': 'G1012',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1012'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Crimson Sandstorm'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Tortoise Shell'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)(Citation: '
                                         'Proofpoint TA456 Defense Contractor '
                                         'July 2021)',
                          'source_name': 'TA456'},
                         {'description': '(Citation: PWC Yellow Liderc 2023)',
                          'source_name': 'Yellow Liderc'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Miller, J. et. al. (2021, July 28). '
                                         'I Knew You Were Trouble: TA456 '
                                         'Targets Defense Contractor with '
                                         'Alluring Social Media Persona. '
                                         'Retrieved March 11, 2024.',
                          'source_name': 'Proofpoint TA456 Defense Contractor '
                                         'July 2021',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media'},
                         {'description': 'MSTIC. (2021, November 16). Evolving '
                                         'trends in Iranian threat actor '
                                         'activity – MSTIC presentation at '
                                         'CyberWarCon 2021. Retrieved January '
                                         '12, 2023.',
                          'source_name': 'Microsoft Iranian Threat Actor '
                                         'Trends November 2021',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'},
                         {'description': 'PwC Threat Intelligence. (2023, '
                                         'October 25). Yellow Liderc ships its '
                                         'scripts and delivers IMAPLoader '
                                         'malware. Retrieved August 14, 2024.',
                          'source_name': 'PWC Yellow Liderc 2023',
                          'url': 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html'},
                         {'description': 'Symantec Threat Hunter Team. (2019, '
                                         'September 18). Tortoiseshell Group '
                                         'Targets IT Providers in Saudi Arabia '
                                         'in Probable Supply Chain Attacks. '
                                         'Retrieved May 20, 2024.',
                          'source_name': 'Symantec Tortoiseshell 2019',
                          'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain'}],
 'id': 'intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a',
 'modified': '2024-10-02T12:13:42.278Z',
 'name': 'CURIUM',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Denise Tan', 'Wirapong Petshagun'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}
Quick Actions
Related TTPs (19)
Data from Local System
Collection
System Information Discovery
Discovery
System Time Discovery
Discovery
PowerShell
Execution
Malicious File
Execution
View All 19 TTPs
Back to Threat Actors
Dashboard Home