{ "id": "bf1effc8-ae3d-4469-9f9f-18b098cf82d5", "created_at": "2026-04-06T00:11:01.776131Z", "updated_at": "2026-04-10T03:33:23.731664Z", "deleted_at": null, "sha1_hash": "81c038a629e66fcf7b3cd097c863e017bcb919d3", "title": "IMPERIAL KITTEN Deploys Novel Malware Families", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 140755, "plain_text": "IMPERIAL KITTEN Deploys Novel Malware Families\r\nBy Counter Adversary Operations\r\nArchived: 2026-04-05 13:34:50 UTC\r\nCrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web\r\ncompromise (SWC) operations targeting organizations in the transportation, logistics and technology sectors that\r\noccurred in October 2023. Based on a detailed examination of the malicious tooling used in these attacks, along\r\nwith additional reporting and industry reports, CrowdStrike Intelligence attributes this activity to the IMPERIAL\r\nKITTEN adversary.\r\nTune in to today’s episode of the Adversary Universe podcast, “Iran’s Rise from Nascent Threat Actor to Global\r\nAdversary” and learn about the history of cyber threat activity linked to Iran.\r\nCrowdStrike Intelligence collection has identified that contemporary IMPERIAL KITTEN intrusion chains\r\nleverage the following tactics, techniques and procedures:\r\nUse of public scanning tools, one-day exploits, SQL injection and stolen VPN credentials for initial access\r\nUse of scanning tools, PAExec and credential theft for lateral movement\r\nData exfiltration by leveraging custom and open source malware to target Middle Eastern entities\r\nCrowdStrike Intelligence analyzed several malware samples associated with IMPERIAL KITTEN activity,\r\nincluding:\r\nIMAPLoader, which uses email for command and control (C2)\r\nA similar sample named StandardKeyboard\r\nA malware sample that uses Discord for C2\r\nA Python generic reverse shell delivered via a macro-enabled Excel sheet\r\nThis next-stage tooling indicates IMPERIAL KITTEN continues to use email-based C2 mechanisms, similar to\r\nthose used in their Liderc malware family.\r\nInside IMPERIAL KITTEN’s Activity\r\nIMPERIAL KITTEN is an Iran-nexus adversary with a suspected connection to the Islamic Revolutionary Guard\r\nCorps (IRGC). The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements\r\nassociated with IRGC operations. Its activity is characterized by its use of social engineering, particularly job\r\nrecruitment-themed content, to deliver custom .NET-based implants. Historically, IMPERIAL KITTEN has\r\ntargeted industries including defense, technology, telecommunications, maritime, energy, and consulting and\r\nprofessional services.\r\nBetween early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations\r\nwith a focus on targeting organizations in the transportation, logistics and technology sectors. In a SWC, the\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 1 of 9\n\nadversary attempts to compromise victims based on their shared interest by luring them to an adversary-controlled\r\nwebsite.\r\nTo date, the following adversary-controlled domains have served as redirect locations from compromised\r\n(primarily Israeli) websites, as well as locations where information collected to profile visitor systems is sent:\r\ncdn.jguery\u003c.\u003eorg\r\ncdn-analytics\u003c.\u003eco\r\njquery-cdn.online\r\njquery-stack.online\r\ncdnpakage\u003c.\u003ecom\r\nfastanalizer\u003c.\u003elive\r\nfastanalytics\u003c.\u003elive\r\nhotjar\u003c.\u003einfo\r\njquery-code-download\u003c.\u003eonline\r\nanalytics-service\u003c.\u003ecloud\r\nanalytics-service\u003c.\u003eonline\r\nprostatistics\u003c.\u003elive\r\nEarly 2022 SWC domains used the Matomo analytics service1 to profile users who visited the compromised\r\nIsraeli websites. Later iterations of SWC domains use a custom script to profile the visitor by collecting their\r\nbrowser information and IP address, which is then sent to a hardcoded domain. Previously reported activity\r\ntargeted organizations in the Israeli maritime, transportation and technology sectors.\r\nIndustry and CrowdStrike Intelligence collection reporting have described a malware family tracked as\r\nIMAPLoader, which is the final payload of the SWC operations. An analysis of IMPERIAL KITTEN’s campaigns,\r\nincluding the use of IMAPLoader and additional malware families, is below.\r\nInitial Access\r\nIndustry reporting indicates in some instances, the adversary directly serves malware to victims from the SWC.2\r\nConsistent with prior CrowdStrike reporting on credential stealers from 2021, there is some evidence that\r\nIMPERIAL KITTEN targets organizations, such as upstream IT service providers, in order to identify and gain\r\naccess to targets that are of primary interest for data exfiltration.\r\nThere is also evidence indicating their initial access vectors consist of:\r\nUse of public one-day exploits\r\nUse of stolen credentials to access VPN appliances\r\nSQL injection\r\nUse of publicly available scanning tools, such as nmap\r\nUse of phishing to deliver malicious documents\r\nAll assessments around initial access methods not previously documented in connection with IMPERIAL\r\nKITTEN activity carry low confidence based on uncorroborated single-source reporting.\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 2 of 9\n\nPhishing\r\nIMPERIAL KITTEN’s phishing operations reportedly include the use of malicious Microsoft Excel documents.\r\nWhile the sample mentioned in October 2023 industry reporting is not publicly available, CrowdStrike\r\nIntelligence acquired a similar version of the delivery document.\r\nThe lure is a macro-enabled Excel sheet, likely created in late 2023 (SHA256 hash:\r\nb588058e831d3a8a6c5983b30fc8d8aa5a711b5dfe9a7e816fe0307567073aed ).\r\nOnce the victim opens the file and enables macros, the document extracts the files runable.bat , tool.bat , and\r\ncln.tmp , and a copy of the Python 3.11 interpreter to the system’s %temp% directory. The batch files create\r\npersistence via the registry Run key named StandardPS2Key , and run the main Python payload SHA256 hash:\r\ncc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd in 20-second intervals.\r\nThe Python payload is a simple reverse shell that connects to a hardcoded IP address on TCP port 6443. The shell\r\nsends a predefined challenge GUID ( 3d7105f6-7ca1-4557-b48e-6b4c70ee55a6 ) and expects the C2 to respond\r\nwith a separate GUID ( fdee81e1-b00f-4a73-ae48-4a0ee5dee49a ) for authentication. The malware then reads\r\ncommands in a loop, executes them and returns the result. The analyzed version supports the following\r\ncommands:\r\ncd (change working directory)\r\nrun (start subprocess with command)\r\nset timer to (change beacon interval)\r\nThe analyzed sample was configured with x.x.x.x as the C2 server. This is not valid and will result in an error\r\n— it is likely the result of a test build or third-party modification.\r\nLateral Movement\r\nThere is information to suggest IMPERIAL KITTEN achieves lateral movement through the use of PAExec (the\r\nopen-source PsExec alternative) and NetScan, and uses ProcDump to dump the LSASS process memory for\r\ncredential harvesting. Lastly, IMPERIAL KITTEN likely deploys custom malware or open source tooling, such as\r\nMeshAgent,3 for data exfiltration. These assessments are made with low confidence as they rely on single,\r\nuncorroborated source reporting.\r\nAdversary Tooling\r\nIMPERIAL KITTEN operations reportedly leverage multiple tools, including custom implants; IMAPLoader and\r\nStandardKeyboard, which both use email for C2; and a remote access tool (RAT), which uses Discord for C2.\r\nIMAPLoader is a malware family distributed as a dynamic link library (DLL) to be loaded via\r\nAppDomainManager injection.4 It uses email for C2 and is configured via static email addresses embedded in the\r\nmalware. Typographical errors in embedded folder names and log messages indicate the author is likely not a\r\nnative English speaker. While timestamps are not available in most samples, the oldest version was first observed\r\nin the wild on September 1, 2022.\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 3 of 9\n\nTable 1 gives an overview of the available samples and configured C2 email addresses. All of them share the same\r\nfunctionality, although the last sample (SHA256 hash:\r\n32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827 ) differs in naming of the IMAP folders\r\nand has only one configured C2 address, indicating it is possibly a development version.\r\nThe malware disguises itself as StreamingUX Updater and persists through a scheduled task of that name. It\r\nconnects to imap.yandex\u003c.\u003ecom over TLS and uses the built-in .NET IMAP library to create two folders for C2,\r\nprefixed with a randomly generated UUID (including a typographical error):\r\n\u003cUUID\u003e-Recive\r\n\u003cUUID\u003e-Send\r\nIMAPLoader uses attachments in email messages to receive tasking and send replies. It hardcodes creation and\r\nmodification dates of the attachment to 2018-12-05 and 2019-04-05, respectively.\r\nHash SHA256 C2 Email\r\n989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006\r\nleviblum@yandex\u003c.\u003ecom\r\nbrodyheywood@yandex\u003c.\u003ecom\r\nfa54988c11aa1109ff64a2ab7a7e0eeec8e4635e96f6c30950f4fbdcd2bba336\r\njustin.w0od@yandex\u003c.\u003ecom\r\nn0ah.harrison@yandex\u003c.\u003ecom\r\n5c945a2be61f1f86da618a6225bc9d84f05f2c836b8432415ff5cc13534cfe2e\r\ngiorgosgreen@yandex\u003c.\u003ecom\r\noliv.morris@yandex\u003c.\u003ecom\r\n87ccd1c15adc9ba952a07cd89295e0411b72cd4653b168f9b3f26c7a88d19b91\r\nharri5on.patricia@yandex\u003c.\u003ecom\r\nd3nisharris@yandex\u003c.\u003ecom\r\n32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827 hardi.lorel@yandex\u003c.\u003ecom\r\nTable 1. IMAPLoader samples and C2 email addresses\r\nIndustry reporting also noted IMPERIAL KITTEN deploys a malware family named StandardKeyboard ,\r\n5\r\n which\r\nshares similarities with the IMAPLoader malware family. StandardKeyboard also uses email for C2\r\ncommunication, and the malicious code uses the same open source .NET library for communicating with IMAP\r\nservers.6 Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service\r\nnamed  Keyboard Service , created by the malicious .NET executable WindowsServiceLive.exe (SHA256 hash:\r\nd3677394cb45b0eb7a7f563d2032088a8a10e12048ad74bae5fd9482f0aead01 ). StandardKeyboard’s main purpose is\r\nto execute Base64-encoded commands received in the email body. The results will be sent to the following email\r\naddresses:\r\nitdep\u003c@\u003eupdate-platform-check\u003c.\u003eonline\r\noffice\u003c@\u003eupdate-platform-check\u003c.\u003eonline\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 4 of 9\n\nThe email subject contains the MAC address of the infected machine prepended by “From: ”. The body of the\r\nemail contains Base64-encoded information listed in Figure 1, followed by the string Sender: \u003cMAC Address\u003e .\r\n***Order: \u003ccommand\u003e\r\n***Time: \u003cunused integer value\u003e\r\n***Response: \u003ccommand output\u003e\r\n***Exit: \u003ccommand exit code\u003e\r\n***At: \u003cattachment\u003e\r\nFigure 1. Data sent to the C2 after command execution\r\nBefore initiating the email communication with the C2, StandardKeyboard verifies the availability of internet\r\nconnection by contacting Google DNS using ICMP and sending the string hi there .\r\nFinally, CrowdStrike Intelligence collection identified another related malware family, posing as a CV creator that\r\nuses a company in the logistics sector as a lure (SHA256 hash:\r\n1605b2aa6a911debf26b58fd3fa467766e215751377d4f746189566067dd5929 ). The malware is heavily obfuscated\r\nand drops an embedded payload after multiple stages of decryption and deobfuscation. It establishes persistence\r\nthrough a scheduled task named Windows\\System\\System .\r\nThe final stage (SHA256 hash:\r\n3bba5e32f142ed1c2f9d763765e9395db5e42afe8d0a4a372f1f429118b71446 ) uses Discord for C2 and is most likely\r\nrelated to a phishing campaign observed in March 2022. It contains a rare prefix in its PDB path field of the PE\r\nheader, which, aside from this sample, is only present in samples of IMAPLoader in CrowdStrike holdings.\r\nAssessment\r\nCrowdStrike Intelligence attributes the above activity, including the use of SWC and IMAPLoader and related\r\nmalware families, to the IMPERIAL KITTEN adversary. This assessment, made with moderate confidence, is\r\nbased on:\r\nThe continued use of previously reported SWC infrastructure\r\nThe continued use of email-based C2 and Yandex email addresses for C2\r\nOverlaps between IMAPLoader and the industry-reported SUGARDUMP malware family that targeted\r\nIsrael-based transportation sector organizations in 20227\r\nContinued focus on targeting Israeli organizations in the transportation, maritime and technology sectors,\r\nwhich is consistent with the adversary’s target scope\r\nUse of job-themed decoy and lure content used in their malware operations\r\nCrowdStrike Intelligence attributes the described initial access and post-exploitation methods to IMPERIAL\r\nKITTEN with low confidence. This assessment carries low confidence as it is based on single-source reporting\r\nthat has not been corroborated.\r\nMITRE ATT\u0026CK\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 5 of 9\n\nTactic Technique Observable\r\nReconnaissance\r\nT1590.005 - Gather Victim Network\r\nInformation: IP Addresses\r\nIMAPLoader beacons the victims public IP\r\naddress obtained via a web service\r\nResource\r\nDevelopment\r\nT1584.006 - Compromise\r\nInfrastructure: Web Services\r\nIMPERIAL KITTEN SWC is mostly based on\r\ncompromised websites\r\nInitial Access T1189 - Drive-by Compromise\r\nIMPERIAL KITTEN distributes malware\r\nthrough SWC\r\nExecution\r\nT1059.003 - Command and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nIMAPLoader collects system information via\r\ncmd.exe scripts\r\nT1059.005 - Command and Scripting\r\nInterpreter: Visual Basic\r\nIMPERIAL KITTEN installs Python\r\nbackconnect shell via malicious visual basic\r\nscripts in Excel documents\r\nT1059.006 - Command and Scripting\r\nInterpreter: Python\r\nMalicious Excel documents drop Python-based\r\nbackconnect shell\r\nPersistence\r\nT1037.005 - Boot or Logon\r\nInitialization Scripts: Startup Items\r\nIMAPLoader persists through the registry Run\r\nkey\r\nDefense Evasion\r\nT1055 - Process Injection\r\nIMAPLoader executes via\r\nAppDomainManager injection\r\nT1140 - Deobfuscate/Decode Files\r\nor Information\r\nIMAPLoader and SUGARRUSH obfuscate C2\r\naddresses via integer arrays\r\nDiscovery\r\nT1518.001 - Software Discovery:\r\nSecurity Software Discovery\r\nIMAPLoader enumerates installed antivirus\r\nsoftware\r\nCollection T1005 - Data from Local System\r\nIMAPLoader beacons local system\r\nconfiguration and username to C2\r\nCommand and\r\nControl\r\nT1071.003 - Application Layer\r\nProtocol: Mail Protocols\r\nIMAPLoader, StandardKeyboard and\r\nSUGARRUSH utilize email for C2\r\nT1095 - Non-Application Layer\r\nProtocol\r\nThe Python-based backconnect shell relies on\r\nraw sockets for communication\r\nExfiltration\r\nT1041 - Exfiltration Over C2\r\nChannel\r\nAll malware in this report exfiltrate data\r\ndirectly over the C2 protocol\r\nTable 2. Mapping to the MITRE ATT\u0026CK® framework\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 6 of 9\n\nAppendix: IMPERIAL KITTEN Infrastructure\r\nVirtual private server VPS infrastructure recently associated with IMPERIAL KITTEN tooling is included in\r\nTable 3. CrowdStrike Intelligence currently attributes this infrastructure to IMPERIAL KITTEN with low\r\nconfidence based on the aforementioned reporting.\r\nDomain IP Address Internet Service Provider\r\nNA 146\u003c.\u003e185.219.220 G-Core Labs S.A.\r\nNA 193\u003c.\u003e182.144.12 Interhost Communication Solutions Ltd.\r\nNA 194\u003c.\u003e62.42.98 Stark Industries Solutions Ltd.\r\nNA 64\u003c.\u003e176.165.70 AS-CHOOPA\r\nNA 95\u003c.\u003e164.61.253 Stark Industries Solutions Ltd.\r\nNA 95\u003c.\u003e164.61.254 Stark Industries Solutions Ltd.\r\nNA 45\u003c.\u003e32.181.118 AS-CHOOPA\r\nNA 193\u003c.\u003e182.144.120 Interhost Communication Solutions Ltd.\r\nNA 64\u003c.\u003e176.164.117 AS-CHOOPA\r\nNA 45\u003c.\u003e155.37.140 SHOCK-1\r\nNA 192\u003c.\u003e71.27.150 Interhost Communication Solutions Ltd.\r\nNA 185\u003c.\u003e212.149.35 Oy Crea Nova Hosting Solution Ltd.\r\nNA 51\u003c.\u003e81.165.110 OVH SAS\r\nNA 82\u003c.\u003e166.160.20 Cellcom Fixed Line Communication L.P.\r\nNA 192\u003c.\u003e52.166.71 ASN-QUADRANET-GLOBAL\r\nNA 162\u003c.\u003e252.175.48 M247 Europe SRL\r\nNA 45\u003c.\u003e93.82.109 LLC Baxet\r\nNA 77\u003c.\u003e91.74.230 Stark Industries Solutions Ltd.\r\nNA 77\u003c.\u003e91.74.21 Stark Industries Solutions Ltd.\r\nNA 195\u003c.\u003e20.17.14 CLOUD LEASE Ltd.\r\nNA 185\u003c.\u003e253.72.206 O.M.C. Computers \u0026 Communications Ltd.\r\nNA 185\u003c.\u003e220.206.251 O.M.C. Computers \u0026 Communications Ltd.\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 7 of 9\n\nNA 185\u003c.\u003e241.4.7 O.M.C. Computers \u0026 Communications Ltd.\r\nNA 195\u003c.\u003e20.17.198 CLOUD LEASE Ltd.\r\nNA 45\u003c.\u003e93.93.198 O.M.C. Computers \u0026 Communications Ltd.\r\nNA 83\u003c.\u003e229.81.175 O.M.C. Computers \u0026 Communications Ltd.\r\nNA 146\u003c.\u003e185.219.97 G-Core Labs S.A.\r\nNA 193\u003c.\u003e182.144.175 Interhost Communication Solutions Ltd.\r\nNA 103\u003c.\u003e105.49.108 VMHaus Limited\r\nNA 185\u003c.\u003e105.0.84 G-Core Labs S.A.\r\nNA 45\u003c.\u003e81.226.38 Zomro B.V.\r\nNA 149\u003c.\u003e248.54.40 AS-CHOOPA\r\nNA 194\u003c.\u003e62.42.243 Stark Industries Solutions Ltd.\r\nNA 94\u003c.\u003e131.114.32 Stark Industries Solutions Ltd.\r\nNA 45\u003c.\u003e8.146.37 Stark Industries Solutions Ltd.\r\nNA 45\u003c.\u003e155.37.105 SHOCK-1\r\nNA 163\u003c.\u003e182.144.239 NATURALWIRELESS\r\nNA 64\u003c.\u003e176.172.26 AS-CHOOPA\r\nNA 77\u003c.\u003e91.94.151 Clouvider Limited\r\nNA 95\u003c.\u003e164.18.234 Stark Industries Solutions Ltd.\r\nNA 74\u003c.\u003e119.192.252 Stark Industries Solutions Ltd.\r\nNA 82\u003c.\u003e166.160.26 Cellcom Fixed Line Communication L.P.\r\nNA 64\u003c.\u003e176.165.229 AS-CHOOPA\r\nNA 193\u003c.\u003e182.144.52 Interhost Communication Solutions Ltd.\r\nNA 64\u003c.\u003e176.171.141 AS-CHOOPA\r\nblackcrocodile\u003c.\u003eonline 217.195.153\u003c.\u003e114 Shock Hosting\r\nupdatenewnet\u003c.\u003ecom Prev: 45.155.37.105 Edis Gmbh\r\nlink.mymana\u003c.\u003eir 193.182.144\u003c.\u003e52 Edis Gmbh\r\nNA 193.182.144\u003c.\u003e239 Edis Gmbh\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 8 of 9\n\nNA 64.176.165\u003c.\u003e229 Choopa\r\nNA 64.176.171\u003c.\u003e141 Choopa\r\nNA 64.176.165\u003c.\u003e70 Choopa\r\nNA 95.164.61\u003c.\u003e253 Stark Industries Solutions Ltd.\r\nNA 95.164.61\u003c.\u003e254 Stark Industries Solutions Ltd.\r\nTable 3. IMPERIAL KITTEN infrastructure\r\nFootnotes\r\n1. https://github.com/matomo-org/matomo\r\n2. https\u003c:\u003e//www.pwc\u003c.\u003ecom/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\n3. https\u003c:\u003e//github\u003c.\u003ecom/Ylianst/MeshAgent\r\n4. https\u003c:\u003e//pentestlaboratories\u003c.\u003ecom/2020/05/26/appdomainmanager-injection-and-detection/\r\n5. https\u003c:\u003e//www.pwc\u003c.\u003ecom/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\n6. https\u003c:\u003e//github\u003c.\u003ecom/smiley22/S22.Imap\r\n7. https://www.mandiant\u003c.\u003ecom/resources/blog/suspected-iranian-actor-targeting-israeli-shipping\r\nAdditional Resources\r\nLearn more about IMPERIAL KITTEN and the adversaries targeting your business in the CrowdStrike\r\nAdversary Universe.\r\nDid you know? CrowdStrike publishes thousands of intelligence reports similar to this each year. Learn\r\nabout our threat intelligence and hunting subscriptions.\r\nRead more about adversaries and their tactics, techniques and procedures in the CrowdStrike 2023 Global\r\nThreat Report and in the CrowdStrike 2023 Threat Hunting Report.\r\nWatch this demo to see CrowdStrike Falcon® Intelligence in action.\r\nExperience how the industry-leading CrowdStrike Falcon® platform protects against modern threats. Start\r\nyour 15-day free trial today.\r\nSource: https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nhttps://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "report_names": [ "imperial-kitten-deploys-novel-malware-families" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81c038a629e66fcf7b3cd097c863e017bcb919d3.pdf", "text": "https://archive.orkl.eu/81c038a629e66fcf7b3cd097c863e017bcb919d3.txt", "img": "https://archive.orkl.eu/81c038a629e66fcf7b3cd097c863e017bcb919d3.jpg" } }