{ "id": "6d7f81c7-8959-4d32-b6f3-4714db6f4cc5", "created_at": "2026-04-06T00:15:14.287984Z", "updated_at": "2026-04-10T03:33:23.70641Z", "deleted_at": null, "sha1_hash": "390db92ec9b05eeb3e869524fb8e9d17455a5cb8", "title": "TA456's Social Engineering \u0026 Malware Campaigns | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1478434, "plain_text": "TA456's Social Engineering \u0026 Malware Campaigns | Proofpoint\r\nUS\r\nBy July 28, 2021 JOSHUA MILLER, MICHAEL RAGGI, \u0026 CRISTA GIERING\r\nPublished: 2021-07-23 · Archived: 2026-04-05 13:43:27 UTC\r\nKey Takeaways \r\nTA456, an Iranian-state aligned actor, spent years masquerading as the persona “Marcella Flores” in an\r\nattempt to infect the machine of an employee of an aerospace defense contractor with malware. \r\nThe malware, dubbed by Proofpoint as LEMPO, was designed to establish persistence, perform\r\nreconnaissance, and exfiltrate sensitive information. \r\nTA456 actively targets smaller subsidiaries and contractors in support of efforts to compromise\r\nlarger defense contractors using a supply chain compromise. \r\nWhile targeting defense contractors is not new for TA456, this campaign uniquely establishes the group as\r\none of the most determined Iranian-aligned threat actors tracked by Proofpoint because of its significant\r\nuse of social engineering, cross platform communication, and general persistence. \r\nOverview \r\nProofpoint researchers have identified a years-long social engineering and targeted malware campaign by the\r\nIranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a\r\nrelationship across corporate and personal communication platforms with an employee of a small subsidiary of\r\nan aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by\r\nsending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on\r\nthe target’s machine, the macro-laden document contained personalized content and demonstrated the importance\r\nTA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed\r\nLEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance\r\ndetails to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then\r\ncover its tracks by deleting that day’s host artifacts.  \r\nThis campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they\r\nare willing to conduct in support of espionage operations. In mid-July, Facebook disrupted a network\r\nof similar personas they attributed to Tortoiseshell. LEMPO, the malware, whose delivery Proofpoint disrupted,\r\nalong with the network of personas, are attributed to TA456. This actor is believed to be loosely aligned with the\r\nIslamic Revolutionary Guard Corps (IRGC) via association with the Iranian\r\ncompany Mahak Rayan Afraz (MRA), according to Facebook’s analysis.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 1 of 7\n\nCampaign Breakdown \r\nProofpoint data shows that over at least eight months, “Marcella (Marcy) Flores” sent TA456’s target\r\nbenign email messages, photographs, and a video to establish her veracity and build rapport with the intended\r\nvictim. At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL. In early June, a\r\nTA456 actor self-identified as “Marcy” sent another OneDrive link, this time masquerading as a diet\r\nsurvey (Figure 1).  \r\nFigure 1. The diet survey email sent to the target. \r\nThe OneDrive URL delivered a\r\n.rar file (dfddbd09ccea598c4841f1abbc927f1c661d85d4bd9bcb081f7c811212d8a64a) containing a .xlsm (Figure\r\n2) (612bdfb4f6eaf920a7a41fa06de8d99f6ecf6ad147374efa6eb1d5aff91df558). Using previous conversation topics\r\nwith the target, the .xlsm purported to be pandemic diet assistance and requested that the user enable content to\r\naccess the privacy protected portions of the file. If the content is enabled, the macro will create and hide the\r\ndirectory \\Appdata\\Perflog and then write LEMPO, a very simple but ingenious plaintext stealer comprised of\r\nVisual Basic Script (VBS), to that directory (Schedule.vbs\r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 2 of 7\n\n1534f95f49ddf2ada38561705f901e5938470c1678d6a81f0f4177ba7412ef5b). After authoring the VBS, the Excel\r\nmacro will add a registry key (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Schedule /t REG_SZ\r\n/d C:\\Users\\[redacted_username]\\AppData\\Perflog\\Schedule.vbs /f) to ensure LEMPO is run upon user login. \r\n \r\nFigure 2. The diet survey .xlsm file. \r\nThe macro in the Excel document also contains code to connect via HTTP POST to showip[.]net. The response,\r\nalong with the results of \"net use\" and \"netstat -nao\" are stored in a hidden sheet within the .xlsm, reminiscent of\r\nthe technique described in Facebook's July 15th announcement. Proofpoint analysts assess this may indicate code\r\npartially remaining from an earlier iteration of the tool that came before LEMPO or a desire for redundancy in\r\nTA456's reconnaissance tooling. \r\nLEMPO \r\nThe LEMPO reconnaissance tool is a Visual Basic Script dropped by an Excel macro. Leveraging built-in\r\nWindows commands it enumerates the host in a variety of ways, records the collected data and then exfiltrates the\r\nintelligence to an actor-controlled email account using Microsoft’s Collaboration Data Objects (CDO).\r\nCDO, previously known as OLE Messaging or Active Messaging, is an application programming interface\r\nincluded with Microsoft Windows and Microsoft Exchange Server products. While most of this analysis is based\r\noff the sample blocked by Proofpoint\r\n(1534f95f49ddf2ada38561705f901e5938470c1678d6a81f0f4177ba7412ef5b) in June 2021, we also identified  a\r\nsimilar sample (da65aa439e90d21b2cf53afef6491e7dcdca19dd1bbec50329d53f3d977ee089) uploaded to a public\r\nmalware repository with an upload date of June 2020.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 3 of 7\n\nReconnaissance \r\nLEMPO collects the following information and records it to %temp%\\Logs.txt \r\nDate and time \r\nComputer and usernames \r\nSystem information via WMIC os, sysaccount,  environment, and computer system commands \r\nAntivirus products located in the “SecurityCenter2” path \r\nDrives \r\nTasklist \r\nSoftware and version \r\nNet users and user details \r\nFollowing the connectivity check, detailed in the following section, LEMPO writes the following\r\nto %temp%\\Logs.txt \r\nFirewall rules \r\nList of running processes via Powershell Get-Process  \r\nIP config \r\nDomain hosts, users, computers, and local groups \r\nTrusted domains \r\nNetwork shares \r\nArp cache \r\nTracert \r\nExternal IP (via showip.net)  \r\nConnections (netstat -nao) \r\nConnectivity \r\nPrior to the network focused reconnaissance, LEMPO checks connectivity by reaching out to Yandex, Google,\r\nYahoo, Github, Mailchimp, Mega, Arxiv (an online academic repository specializing in electrical engineering and\r\nscientific research), and Twitter using ping and curl (Figure 3). The June 2020 version of LEMPO includes only a\r\nconnectivity check to ford[.]com. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 4 of 7\n\nFigure 3. \r\nAfter finishing that additional recon, LEMPO moves Logs.txt from %temp% to \\Perflog. LEMPO then checks to\r\nensure the Registry Key previously mentioned has been added and then\r\nuses the findstr command to identify files containing “user,” “pass,” and “vpn.” The findstr command returns any\r\nmatching lines which could collect usernames and passwords from the computer. Logs.txt is then compressed into\r\nLogs.zip \r\nExfiltration \r\nLEMPO uses hardcoded credentials with Microsoft’s CDO to exfiltrate the information over SMTPS on port 465.\r\nIn the June 2021 version of LEMPO, TA456 uses the same Yahoo email address to send and receive the exfiltrated\r\ninformation. In the 2020 version of LEMPO, TA456 sent from a Yandex account to a Tutanota email account.\r\nNotably, the Yandex email within the 2020 version of the LEMPO implant masqueraded as large technology\r\ncompany focused on supporting the energy industry. After exfiltrating the information, LEMPO sleeps for\r\n30 seconds and then deletes both Logs.txt and Logs.zip. \r\nThere’s Something About Marcy \r\n“Marcella (Marcy) Flores” was conversing with the targeted aerospace employee since at least November 2020\r\nand was friends with them on social media since at least 2019. Besides the Gmail account used for attempted\r\nmalware delivery, Marcella maintained a now suspended Facebook profile. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 5 of 7\n\nFigure 4. \r\nOpen-source research indicates “Marcella” interacted with TA456’s target on social media starting in late\r\n2019. The earliest publicly available Facebook profile photo of “Marcella” was uploaded on May 30, 2018.\r\nProofpoint’s analysis indicates the profile bears strong similarities to fictitious profiles previously used by Iranian\r\nAPTs to socially engineer targets of intelligence value. The “Marcella” profile appeared to be friends with\r\nmultiple individuals who publicly identify as defense contractor employees and who are geographically dispersed\r\nfrom “Marcella’s” alleged location in Liverpool, UK. On July 15, 2021, Facebook announced they had disrupted a\r\nnetwork of Facebook and Instagram personas, including “Marcella’s,” they attributed to the Iranian-aligned actor.  \r\nTargets \r\nTA456 routinely conducts reconnaissance campaigns disguised as news related spam that target individuals\r\nemployed by aerospace defense contractors. The targeting of U.S. defense contractors, particularly those\r\nsupporting contracts in the Middle East, is consistent with historical\r\nIranian cyber activity. Additionally, Proofpoint has observed TA456 targeting individuals employed\r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 6 of 7\n\nat multiple subcontractors and subsidiaries of larger defense companies. This is possibly an effort to target\r\nthe primary contractor via less secure downstream component suppliers that share a network environment. Open-source research indicated the individual targeted by “Marcella” in this campaign works as a supply chain manager.\r\nThis is consistent with TA456’s TTP of targeting business and information technology-related individuals within\r\ntheir target organization.  \r\nAttribution \r\nProofpoint attributes this campaign to TA456, an Iranian-aligned adversary focused on espionage efforts\r\nagainst defense industrial base employees and contractors, particularly those supporting efforts in the Middle East.\r\nTA456 overlaps with activity tracked as Tortoiseshell, and Imperial Kitten. On July 15, 2021,\r\nFacebook attributed a portion of Tortoiseshell’s activity to Mahak Rayan Afraz (MRA), an Iranian IT\r\ncompany with ties to the IRGC. Based on previous malware analysis and historical open-source research,\r\nProofpoint concurs with this attribution.  \r\nAdditionally, LEMPO shares multiple similarities with Tortoiseshell’s Liderc, including extensive machine\r\nreconnaissance, exfiltration via email, hardcoded email addresses with similar formatting, and overall pattern of\r\ntargeting companies and individuals aligned with the American defense industrial base.  \r\nOutlook \r\nTA456 demonstrated a significant operational investment by cultivating a relationship with a target’s employee\r\nover years in order to deploy LEMPO to conduct reconnaissance into a highly secured target environment within\r\nthe defense industrial base. Facebook’s announcement demonstrated TA456 had established an extensive network\r\nof these personas dedicated to enabling cyberespionage operations. While Proofpoint did not\r\nobserve the delivery of any remote access trojans or command and control channels like TA456’s Syskit, the\r\ninformation potentially gathered by LEMPO could be operationalized in a variety of ways. These include the\r\nutilization of stolen VPN credentials, exploitation of vulnerabilities in the identified software, or the customization\r\nof more advanced malware delivered from “Marcella.” \r\nTA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to\r\ndeploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats tracked by Proofpoint. The “Marcella Flores” persona is likely not the only one in use by TA456,\r\nmaking it important for those working within or tangentially to the defense industrial base to be vigilant when\r\nengaging with unknown individuals regardless of whether it is via work or personal accounts.  \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nhttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" ], "report_names": [ "i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" ], "threat_actors": [ { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434514, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/390db92ec9b05eeb3e869524fb8e9d17455a5cb8.pdf", "text": "https://archive.orkl.eu/390db92ec9b05eeb3e869524fb8e9d17455a5cb8.txt", "img": "https://archive.orkl.eu/390db92ec9b05eeb3e869524fb8e9d17455a5cb8.jpg" } }