CURIUM

Active

Also known as: CURIUM, Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc

🌍

Other

Active Since

2023

MITRE ID

G1012

Techniques

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

MITRE ATT&CK Techniques

Recon1

T1598.003Spearphishing Link

Resource7

T1583.001Domains

T1608.004Drive-by Target

T1585.002Email Accounts

T1583.004Server

T1585.001Social Media Accounts

T1583.003Virtual Private Server

T1584.006Web Services

Initial3

T1189Drive-by Compromise

T1566.001Spearphishing Attachment

T1566.003Spearphishing via Service

Exec2

T1204.002Malicious File

T1059.001PowerShell

Persist1

T1505.003Web Shell

PrivEsc0

Defense0

Creds0

Discovery2

T1082System Information Discovery

T1124System Time Discovery

Lateral0

Collect1

T1005Data from Local System

C20

Exfil2

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1041Exfiltration Over C2 Channel

Impact0

Known Victims

live · just now

No victims recorded in ransomware.live for this group.