Tortoiseshell, Imperial Kitten - Threat Group Cards: A Threat
Actor Encyclopedia
Archived: 2026-04-05 20:34:36 UTC
Home > List all groups > Tortoiseshell, Imperial Kitten
 APT group: Tortoiseshell, Imperial Kitten
Names
Tortoiseshell (Symantec)
Imperial Kitten (CrowdStrike)
TA456 (Proofpoint)
Curium (Microsoft)
Marcella Flores (self given)
Houseblend (?)
Crimson Sandstorm (Microsoft)
Cuboid Sandstorm (Microsoft)
Yellow Liderc (PWC)
Devious Serpens (Palo Alto)
Cobalt Fireside (SecureWorks)
Country Iran
Sponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)
Motivation Information theft and espionage
First seen 2018
Description
(Symantec) A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply
chain attacks with the end goal of compromising the IT providers’ customers.
The group, which we are calling Tortoiseshell, has been active since at least July
2018. Symantec has identified a total of 11 organizations hit by the group, the
majority of which are based in Saudi Arabia. In at least two organizations, evidence
suggests that the attackers gained domain admin-level access.
Overlap has been found with Magic Hound’s Subgroup: TA455, Smoke Sandstorm.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e5c68c0-c16a-4d8f-8829-14d27ab8cd32
Page 1 of 3

Observed
Sectors: Aerospace, Defense, IT, Shipping and Logistics, Maritime and
Shipbuilding.
Countries: Saudi Arabia, UAE, USA and Middle East.
Tools used get-logon-history.ps1, IMAPLoader, Infostealer, LEMPO, liderc, SysKit.
Operations performed
Sep 2019
Cisco Talos recently discovered a threat actor attempting to take
advantage of Americans who may be seeking a job, especially
military veterans.
Nov 2020
I Knew You Were Trouble: TA456 Targets Defense Contractor with
Alluring Social Media Persona
2022
Yellow Liderc ships its scripts and delivers IMAPLoader malware
May 2023
Operation “Fata Morgana”
Fata Morgana: Watering hole attack on shipping and logistics
websites
Oct 2023
IMPERIAL KITTEN Deploys Novel Malware Families in Middle
East-Focused Operations
Counter operations Jul 2021
Taking Action Against Hackers in Iran
Information
Last change to this card: 28 June 2025
Download this actor card in PDF or JSON format
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e5c68c0-c16a-4d8f-8829-14d27ab8cd32
Page 2 of 3

Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e5c68c0-c16a-4d8f-8829-14d27ab8cd32
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e5c68c0-c16a-4d8f-8829-14d27ab8cd32
Page 3 of 3