{ "id": "abac30f6-eb1e-4436-a0da-a45f6c2cd120", "created_at": "2026-04-06T00:20:18.477499Z", "updated_at": "2026-04-10T13:12:53.543575Z", "deleted_at": null, "sha1_hash": "c84a1b71501cae8b2abe2cb568e4d4b75e960351", "title": "Yellow Liderc ships its scripts and delivers IMAPLoader malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 483089, "plain_text": "Yellow Liderc ships its scripts and delivers IMAPLoader malware\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 16:17:29 UTC\r\nAuthor: PwC Threat Intelligence\r\nExecutive summary\r\nSince 2019, PwC has tracked an Iran-based threat actor we refer to as Yellow Liderc (a.k.a. Imperial Kitten,\r\nTortoiseshell, TA456, Crimson Sandstorm). As reported in our previous Year in Retrospect publications,1,2,3 this\r\nthreat actor remains an active and persistent threat to many industries and countries, including the maritime,\r\nshipping and logistics sectors within the Mediterranean; nuclear, aerospace and defence industries in the US and\r\nEurope; and IT managed service providers in the Middle East.\r\nIn this blog we will cover a recently-observed sample of malware linked to Yellow Liderc that has been used\r\nalongside strategic web compromises. The following are the key points of our analysis:\r\nBetween 2022 and 2023, the threat actor has conducted strategic web compromises to embed JavaScript\r\nwhich fingerprints website visitors and captures victim user location, device information, and time of\r\nvisits. Targeting of these attacks have focused primarily on the maritime, shipping and logistics sectors,\r\nwith some victims being served follow-on malware which we have named IMAPLoader.\r\nIMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows\r\nutilities and acts as a downloader for further payloads. It uses email as a C2 channel and is able to execute\r\npayloads extracted from email attachments and is executed via new service deployments.\r\nWe have previously observed Yellow Liderc developing .NET malware which uses similar email-based C2\r\nchannels and hard-coded commands to gain information about the victim’s environment; however,\r\nIMAPLoader is executed via an injection technique known as 'AppDomain Manager Injection', a technique\r\nwe have not observed Yellow Liderc using before.\r\nAdditional analysis shows widespread phishing activity that have been conducted concurrently to the threat\r\nactor's strategic web compromises. This activity is used to deliver a malicious Excel file that drops a basic\r\nPython backdoor.\r\n \r\nIntroduction\r\nYellow Liderc is an Iran-based threat actor that has been active since at least 2018. As previously reported in our\r\n2020 Year in Retrospect publication, Yellow Liderc is an Islamic Revolutionary Guard Corp. (IRGC) aligned\r\nthreat actor, which focuses on targeting Aviation, Automotive, Aerospace and Defense, Logistics, Maritime and\r\nInformation Technology organisations. Geographically, the threat actor focuses on targeting organsiations\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 1 of 19\n\nthroughout the Middle East, Europe, both North and South America and parts of South Asia. In 2021, open source\r\nreporting documented alleged connections between the threat actor and the IRGC,4 which also aligns with our\r\nprevious reporting.5\r\nYellow Liderc is known for a variety of tactics and techniques, including phishing, social engineering and\r\nstrategic web compromises. The threat actor uses both custom and off-the-shelf malware including PowerShell\r\nbackdoors and infostealers in order to gather information about victim systems. The threat actor has previously\r\nused macro enabled documents that drop a VBS script, commonly referred to as LEMPO, which establishes\r\npersistence, performs reconnaissance, and exfiltrates sensitive information. The threat actor often favours\r\nexfiltration of sensitive information to an actor-controlled email account via SMTPS or IMAP, and has been\r\nobserved using both dedicated mailboxes and third party services for their email accounts.78\r\nStrategic Web Compromises\r\nSince 2022 Yellow Liderc has frequently compromised legitimate websites and inserted malicious\r\nJavaScript,9,10,11 often referred to as a watering hole attack or strategic web compromise. The JavaScript is used\r\nby the threat actor to fingerprint website visitors by capturing user location, device, time of visits, etc. The script\r\nenables the actor to infect specific user systems, matching a target fingerprint, with malware and gain access to the\r\norganisation’s network.\r\nThis activity has heavily focused on the maritime, shipping and logistics sectors within the Mediterranean.\r\nPrevious open source reporting has described some of this specific targeting by the threat actor.\r\n12,13\r\n PwC has\r\nobserved the following domains being actively used by Yellow Liderc throughout 2022 and 2023 in various\r\nwatering hole attacks:\r\nztransportorganizationil[.]xyz\r\ncdnpakage[.]com\r\nhotjar[.]info\r\nfastanalizer[.]live\r\nfastanalytics[.]live\r\nIn some attacks, the threat actor would serve malware to their targets upon visiting the infected websites because\r\ntheir fingerprints apparently indicated they could be a high value target. PwC observed a new sample of malware\r\nused in those later stages, which we have named IMAPLoader. We assess that IMAPLoader is a replacement to a\r\nPython-based IMAP implant the actor used in late 2021 and early 2022.14 The overall functionality is similar to\r\npast malware leveraged by the threat actor, but IMAPLoader uses a new injection technique not previously seen\r\nwith Yellow Liderc, and is detailed below.\r\n \r\nIMAPLoader\r\nThe following sample is a DLL written in .NET and acts as a downloader, leveraging email communication as a\r\nmeans of command and control (C2) communication.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 2 of 19\n\nFilename StreamingUX.dll\r\nSHA-256 989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006\r\nFile type Win32 DLL\r\nFile size 175,104 bytes\r\nCreated 2022-12-18 12:27:50\r\nFigure 1 – Overview of IMAPLoader’s functionality\r\nIn order to run, IMAPLoader uses an injection technique known as ‘AppDomain Manager Injection’,15 which was\r\nfirst publicly disclosed in a proof of concept in 2020. The injection forces a Microsoft .NET application to load a\r\nspecially crafted .NET assembly (IMAPLoader in this case). Upon execution, IMAPLoader extracts the full path\r\nto itself, and makes the Windows Console Window that is created when the application is started hidden from\r\nview. This is achieved by directly importing the Windows DLLs kernel32.dll and user32.dll and calling the\r\nGetConsoleWindow and ShowWindow APIs respectively.\r\nThe malware then queries the IMAP accounts (email addresses) hardcoded in the DLL which are both decimal\r\nencoded. These include two email addresses and passwords, which once decoded, show Yandex email addresses, a\r\ncommon email provider used by this threat actor:\r\nleviblum[@]yandex.com; and\r\nbrodyheywood[@]yandex.com.\r\nThe malware then runs a WMI query to determine the operating system version, followed by scheduling tasks\r\ndepending on the version identified. One of those tasks is to check for specific mailbox folders in a folder\r\nmisspelled by the threat actor. Messages in the \"Recive\" folder are likely to contain further payloads as\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 3 of 19\n\nattachments. IMAPLoader proceeds to compile a list of unseen messages in this folder and prepare for attachment\r\nextraction via the hard coded Yandex email addresses.\r\nDepending on which Yandex account successfully logged in to, a new object imapClient3 is created which can\r\ninteract with the remote email. By calling WMI class Win32_ComputerSystemProduct, IMAPLoader extracts the\r\nsystem UUID strings. This is later converted into a SHA-256 hash value and the first 21 characters (converted to\r\nuppercase) are used as an identifier in any further communication with the IMAP account. This likely indicates the\r\nYandex accounts are intended for use across multiple victims, in contrast to their previous Python-based IMAP\r\nimplant.\r\nThe briefly mentioned extraction of attachments uses the Ux.Attachment method to return a dictionary object,\r\nwhere the first entry is the name of the attachment (stored as a string), and the second entry stores the raw attached\r\nfile as a byte object. The attachment is subsequently stored in the same location on disk as IMAPLoader. We also\r\nobserved in the code that there is a persistence mechanism via Ux.EditTask. This method ensures persistence on\r\nthe system for the new retrieved payload, which we assess is likely to be a PE executable file. The method is used\r\nto edit the Windows task (previously created by IMAPLoader as StreamingUX Updater [version number]) by\r\nupdating the path to point to the new payload.\r\nIn the last chain of actions, the new payload is executed, by calling the ProcessStartInfo class. Finally, a new\r\nthread is created in the context of IMAPLoader which is used to fingerprint the system and exfiltrate collected\r\ncontent by sending an email to the same IMAP account used to retrieve the payload. While we have previously\r\nobserved the threat actor developing .NET malware which uses similar email-based C2 channels and hard-coded\r\ncommands to gain information about the victim's environment, IMAPLoader is executed via the 'AppDomain\r\nManager Injection' technique, a technique we have not observed Yellow Liderc using before, which shows an\r\nevolution of this threat actors tools and techniques.\r\nAn early version of IMAPLoader\r\nWe detected another sample from September 2022 which we assess is an earlier version of IMAPLoader:\r\nFilename saveImapMessage.exe\r\nSHA-256 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827\r\nFile type Win32 EXE\r\nFile size 170,496 bytes\r\nCreated 2101-11-11 01:04:26\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 4 of 19\n\nPDB path F:\\vsp\\saveImapMessage\\saveImapMessage\\obj\\Debug\\saveImapMessage.pdb\r\nAlthough saveImapMessage.exe is an EXE file rather than a DLL, this shares a similar .NET file structure. It also\r\ncontains the same functionality as our original sample (StreamingUX.dll) which in this case is located in a\r\nnamespace called ‘downloader’. We also found a .NET DLL named JobTitle.dll which shares a partial PDB path\r\nwith saveImapMessage.exe (F:\\\\vsp\\) and drops a version of IMAPLoader to the victim’s system.\r\nThe infection chain for IMAPLoader is composed of three stages, using a decoy Excel document and legitimate\r\nMicrosoft application for injection as seen in Figure 3.\r\nFigure 3 - Infection chain to deliver and execute IMAPLoader\r\nStage 1\r\nThe first stage is distributed as an Excel-DNA XLL plugin,17 an open source library that enables .NET integration\r\ninto Microsoft Excel files. One of its resources is called JOBTITLE which stores the 2nd stage component of the\r\nmulti-part infection chain.\r\nStage 2\r\nAs soon as JobTitle.dll is executed, it writes a C# source code file named source.cs to disk. This is subsequently\r\ncompiled into a .NET DLL file called sign.dll, a version of IMAPLoader, by leveraging the native C# compiler\r\ntool csc.exe.\r\nThree additional files extracted by JobTitle.dll from its resources are also written to disk: a benign Microsoft\r\nExcel document, a modified Microsoft Windows application and an associated configuration file.\r\nThe decoy document used by the threat actor to avoid raising victim suspicion during the execution chain;\r\nA configuration file used to trigger the injection of the IMAPLoader component into\r\nAppVStreamingUX.exe by leveraging the AppDomain Manager Injection technique previously mentioned;\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 5 of 19\n\nand,\r\nAppVStreamingUX.exe appears to be a legitimate Microsoft Windows app that has been modified by the\r\nthreat actor as the compilation timestamp is set to a future date. A new Windows Task called\r\nMicrosoftEdgeCrashFixsTaskMachineUA, is created and configured to load AppVStreamingUX.exe,\r\nwhich leads to the process self injection and the execution of the sign.dll binary, the third and last stage of\r\nthe infection chain.\r\nStage 3\r\nThe last DLL has the same functionality as discussed in the earlier StreamingUX.dll IMAPLoader analysis. The\r\nemail addresses used for C2 communication also match our earlier analysis indicating the threat actor has likely\r\nreused its infrastructure for different victims. As per the previous sample, host fingerprinting is performed at every\r\nnew payload execution, by creating a new process and executing cmd.exe with the same parameters as before.\r\nAdditional phishing activity\r\nPivoting on the strategic web compromise infrastructure shows links to infrastructure we assess is likely used by\r\nYellow Liderc in their phishing operations. For example, both ztransportorganizationil[.]xyz and\r\nofficemicrosoftsign[.]com shared a resolution at IP 138.124.183[.]100. Many similar domains can be identified\r\nfrom additional pivots made on this threat actor's infrastructure that have been active since at least 2022, such as\r\nthe one shown in Figure 4.\r\nFigure 4 – Phishing page hosted on cheapfortest[.]store\r\nAll of this assessed phishing activity is likely aimed at a wider target audience, rather than solely focused on the\r\nmaritime or shipping sectors within the Mediterranean. Some of the domains are generically themed around\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 6 of 19\n\nMicrosoft accounts which can be used against a wide variety of targets, while other domains are specifically\r\naimed at the travel and hospitality sectors within Europe.\r\nIn some cases, the threat actor is likely credential harvesting based on observations of the phishing pages being\r\nserved. For example, Figure 5 below, shows a generic Microsoft login page that Yellow Liderc is using to trick\r\ntargets into entering their credentials. It is assessed that the likely delivery method of this and similar domains\r\ndescribed throughout are sent via spear phishing emails.\r\nFigure 5 – Phishing page hosted on loginlive[.]formsmicrosoftoffice[.]com[.]oauth2[.]live\r\nIn other cases, malware is served to targets upon visiting the phishing website. For example, the threat actor\r\nserved a macro-enabled Excel document that drops a VBScript. The use of macro-enabled documents that drop\r\nVBScripts is very similar to past Yellow Liderc activity which we have reported on privately,\r\n18\r\n alongside open\r\nsource reporting.19\r\nFilename income_statement1.xlsm\r\nSHA-256 1a996d98ab897bbc3a0249ea43afaf841b31396be7cbe61b443a58d1c9aab071\r\nFile type XLSM\r\nFile size 3,122,078 bytes\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 7 of 19\n\nCreated 2011-05-30 \r\nFigure 6 – Macro-enabled document served visiting phishing websites\r\nUpon opening, the macro-enabled Excel document contains a custom message requesting the user to enable\r\nmacros. Once enabled, the user is presented with a decoy document. The macro itself writes several files to disk\r\nincluding a chain of scripts that set up a registry run key for persistence, a Python payload, and a local copy of\r\nPython 3.11.\r\nFilename cln.tmp\r\nSHA-256 cc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd\r\nFile type TMP\r\nFile size 4,384 bytes\r\nConclusion\r\nYellow Liderc is a highly persistent threat that remains active in targeting organisations with the described\r\nstrategic compromise tactics and phishing activity. Analysis of IMAPLoader shows an evolution of the threat\r\nactor's tools which will likely continue to evolve, as the threat actor stays focused on targeting a variety of sectors\r\nand regions which align with its strategic interests.\r\nOverview of TTPs\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 8 of 19\n\nPwC recommends searching historical logs and configuring alerting for the indicators or detection content\r\nprovided in this report. If any of these indicators are discovered, or detection content generates alerts, we\r\nrecommend organisations investigate their origin and conduct forensic analysis. If there are no significant\r\nfindings, we recommend blocking the provided malicious indicators.\r\nMore detailed information on each of the techniques used in this report, along with detection and mitigations, can\r\nbe found on the following MITRE pages:\r\nTactic Technique ID Procedure\r\nResource\r\nDevelopment\r\nEstablish\r\nAccounts:\r\nEmail\r\nAccounts\r\nT1585.002\r\nThe threat actor uses Yandex accounts for its C2\r\ncommunication.\r\nResource\r\nDevelopment\r\nDevelop\r\nCapabilities:\r\nMalware\r\nT1587.001\r\nWe assess IMAPLoader is a bespoke .NET malware\r\ndeveloped by the threat actor.\r\nResource\r\nDevelopment\r\nCompromise\r\nInfrastructure\r\nT1584\r\nThe threat actor compromises legitimate websites to host\r\nmalicious files and scripts.\r\nReconnaissance\r\nGather Victim\r\nHost\r\nInformation\r\nT1592\r\nThe threat actor fingerprints website visitors by capturing\r\nuser location, device, and time of visits.\r\nInitial Access\r\nDrive-by\r\nCompromise\r\nT1189\r\nThe threat actor compromises a legitimate website and\r\ninjects some form of malicious code such as JavaScript.\r\nExecution\r\nCommand and\r\nScripting\r\nInterpreter:\r\nJavaScript\r\nT1059.007\r\nThe threat actor uses JavaScript to execute fingerprint\r\nusers or download and executing script files.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 9 of 19\n\nExecution\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand\r\nShell\r\nT1059.003\r\nIMAPLoader issue commands to discover system,\r\nnetwork and user information via cmd.exe.\r\nExecution\r\nUser\r\nExecution:\r\nMalicious File\r\nT1204.002\r\nThe macro-enabled document requires a user to open and\r\ninteract with the file to execute the payload.\r\nPersistence\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nT1053.005\r\nScheduled tasks are used to maintain persistence for\r\npayloads.\r\nPersistence\r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nRegistry Run\r\nKeys / Startup\r\nFolder\r\nT1547.001\r\nThe macro writes several files to disk including a script\r\nthat establishes persistence with reg add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n/v StandardPS2Key /d %temp%\\hed.vbs /f.\r\nDefense\r\nEvasion\r\nMasquerading:\r\nMasquerade\r\nTask or\r\nService\r\nT1036.004\r\nTask name and author mimics legitimate Microsoft\r\nWindows services.\r\nDefense\r\nEvasion\r\nProcess\r\nInjection:\r\nDynamic-link\r\nLibrary\r\nInjection\r\nT1055.001\r\nAn injection technique called AppDomain Manager\r\nInjection is used to load IMAPLoader.\r\nDiscovery System\r\nInformation\r\nT1082 WMI commands are used to obtain OS version.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 10 of 19\n\nDiscovery\r\nDiscovery\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nT1016\r\nBasic network information is obtained through ipconfig\r\ncommand.\r\nDiscovery\r\nSystem\r\nOwner/User\r\nDiscovery\r\nT1033\r\nBasic user information is obtained through whoami\r\ncommand.\r\nDiscovery\r\nFile and\r\nDirectory\r\nDiscovery\r\nT1083 Directory listings are run using dir command.\r\nCommand and\r\nControl\r\nApplication\r\nLayer\r\nProtocol: Mail\r\nProtocols\r\nT1071.003\r\nThe threat actor uses IMAP protocols to communicate via\r\nemail C2.\r\nExfiltration\r\nExfiltration\r\nOver C2\r\nChannel\r\nT1041\r\nIMAPLoader exfiltrates the results of system, network\r\nand user commands to the C2.\r\nIndicators of Compromise\r\nMalware Indicators\r\nIndicator Type\r\n989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006 SHA-256\r\n32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827 SHA-256\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 11 of 19\n\n3e3effa0388f362e891ccf6f9169f9fb9627698bea5fefa57084353603502886 SHA-256\r\n528f4d63c5abcfd137569e2dda49b5730432fb189ef2263cd6e7222cbb6ccb75 SHA-256\r\n91526246682b47e5f4e396130f2ff93943fbdcaf742262345fb35ae950f1d2b2 SHA-256\r\n26881615e121584b8814916d2f0228de97439cf6b654fca58b2228ff893fcfbc SHA-256\r\n92687d1f47244d3a1d7b02fbccf389b9819fd7cc3a31036ae30c2d4d88a3f266 SHA-256\r\n9fcb7dea92ad0fe5fa6d6a5a5bd47caea5d3bc44aee247a001fcefdc56500111 SHA-256\r\n7bf2aaf5f82ba5ed834b6ee270e4a7326a191985ea6cc27bdaba17816d1f2ca9 SHA-256\r\nd3677394cb45b0eb7a7f563d2032088a8a10e12048ad74bae5fd9482f0aead01 SHA-256\r\nebf2ec38ed0c4cd05aaae1bdb4af862294d8bd874f7830c42f6905e94de239cf SHA-256\r\n0ec131ca6fae327202577473137462086b3ce3130896fd8d8db69247ac720f04 SHA-256\r\n87ccd1c15adc9ba952a07cd89295e0411b72cd4653b168f9b3f26c7a88d19b91 SHA-256\r\ncc7120942edde86e480a961fceff66783e71958684ad1307ffbe0e97070fd4fd SHA-256\r\n1a996d98ab897bbc3a0249ea43afaf841b31396be7cbe61b443a58d1c9aab071 SHA-256\r\nc43ae2eaa8b134861f4539b205bf97b4e6b3b857 SHA-1\r\n35be50f7f7f47abe64e555cae3088f40b7b3ebbe SHA-1\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 12 of 19\n\na20e34f575dc2816088d8a6ae0dc9940bd229e95 SHA-1\r\n065a43ffd414f62efd779af4bfb5b9e9290bb3f2 SHA-1\r\n48e30cd34178be36d7cfea2479361dd8280e726d SHA-1\r\n124d3cc91135766d4f93a5527bd323e1c23a3e2a SHA-1\r\n01b4ed3e7d026f9b9038e93bb3313602256aaf2f SHA-1\r\n5ceff2dbf7091c3906003bf5b77fd08deb71317e SHA-1\r\n8d2a0b8b94a1a0fc1d357737d06809b8aac93165 SHA-1\r\n1860938bb192344df34b2ade9d804c91681d767d SHA-1\r\n64c06102653cd94b67417160b1ec61f240cd4d78 SHA-1\r\nafa40f62a1df6a3949f46a61055be043cf9ff55d SHA-1\r\ned7e2cd95b442a290478ae750794f0c346de8e73 SHA-1\r\n0a3ec309299058c12a579c04d110001b77c311c5 SHA-1\r\n97d132f248bc95ea2810a816574756f6 MD5\r\ne78142f546f2972117db1d8403d556be MD5\r\n88ed93f824fbc5c73f7b47bf9d32b8e7 MD5\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 13 of 19\n\nee2de347c90c21e0e6917223c32ac61b MD5\r\ncb97310e5ca5ebc6a12358e97219487a MD5\r\n6bfb2b02992de48a0242a7ff03623205 MD5\r\n6d02207c9ce1b3967077065c40eb1bb1 MD5\r\nd009734407d38aac5735d182b0fffc86 MD5\r\n366623939b90fdf277b43f457ac7b2ed MD5\r\n0df7bda8bfbb5828ca09fff7e70b34b8 MD5\r\n50516ccade993979b18d7896ff17c3c9 MD5\r\nd9d153b162a8edab7841e9747a086e2c MD5\r\na6b68493ace6398f95fc5720b1a16526 MD5\r\n20507d265a7495cc1e4ade1e8639666e MD5\r\nStreamingUX.dll Filename\r\nsaveImapMessage.exe Filename\r\nJobTitle.dll Filename\r\nsign.dll Filename\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 14 of 19\n\nStandardKeyboard.exe Filename\r\nWindowsServiceLive.exe Filename\r\nincome_statement1.xlsm Filename\r\ncln.tmp Filename\r\nleviblum[@]yandex.com Email address\r\nbrodyheywood[@]yandex.com Email address\r\nhardi.lorel[@]yandex.com Email address\r\nNetwork Indicators\r\nIndicator Type\r\ncriticimfreedom[.]site  Domain\r\nmegamodel[.]studio Domain\r\ninstructables[.]live Domain\r\ninstructables[.]service Domain\r\noutlookmicrosoftonline[.]com Domain\r\nnirsoft[.]app Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 15 of 19\n\nnirsoft[.]ink Domain\r\nmentalfloss[.]live Domain\r\nmyfridgefood[.]live Domain\r\ntransportorganizationil[.]shop Domain\r\nmetatransfer[.]online Domain\r\nmsofficesign[.]com Domain\r\nfastanalytics[.]live Domain\r\nprostatistics[.]live Domain\r\nfastanalizer[.]live Domain\r\ncdnpakage[.]com Domain\r\neuropetourtravels[.]world Domain\r\neuropetourtravels[.]link Domain\r\noauth2[.]online Domain\r\noauth2[.]live Domain\r\nloginlive[.]formsmicrosoftoffice[.]com[.]oauth2[.]live Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 16 of 19\n\nlogin[.]microsoftonilne[.]com[.]oauth2[.]online Domain\r\n192.254.71[.]7  IPv4\r\n192.71.27[.]20 IPv4\r\n193.182.144[.]68 IPv4\r\n192.71.27[.]170 IPv4\r\n195.20.17[.]237 IPv4\r\n162.252.175[.]142  IPv4\r\n64.46.102[.]11 IPv4\r\n167.88.166[.]26  IPv4\r\n188.227.58[.]158  IPv4\r\n216.108.231[.]123  IPv4\r\n79.132.128[.]169  IPv4\r\n45.155.249[.]180 IPv4\r\n45.133.16[.]108   IPv4\r\n38.60.136[.]253  IPv4\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 17 of 19\n\n45.138.27[.]3  IPv4\r\n195.238.126[.]132  IPv4\r\n94.131.114[.]48 IPv4\r\n192.71.27[.]30 IPv4\r\n193.182.144[.]185  IPv4\r\n83.229.73[.]203 IPv4\r\n77.91.74[.]5 IPv4\r\n178.23.190[.]74 IPv4\r\n94.131.114[.]23 IPv4\r\n216.108.237[.]80 IPv4\r\n104.238.156[.]70 IPv4\r\n212.29.215[.]67 IPv4\r\n212.150.236[.]253 IPv4\r\n170.130.55[.]55  IPv4\r\n1 PwC Cyber Threats 2020: A Year in Retrospect\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 18 of 19\n\n2 PwC Cyber Threats 2022: A Year in Retrospect\r\n3 PwC Cyber Threats 2022: A Year in Retrospect\r\n4 https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\n5 CTO-TIB-20210211-02A - Caught in a .NET\r\n6 https://www.proofpoint.com/uk/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\n7 CTO-TIB-20210211-02A - Caught in a .NET\r\n8 CTO-TIB-20220628-02A - Three varieties of Liderc\r\n9 CTO-TIB-20221208-01A - Yellow Liderc ships its scripts\r\n10 CTO-QRT-20230815-01A - Yellow Lidercs recent script activity\r\n11 CTO-QRT-20230418-01A - Yellow Liderc strikes again\r\n12 https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping\r\n13 https://www.clearskysec.com/fata-morgana/\r\n14 CTO-TIB-20220628-02A - Three varieties of Liderc\r\n15 ‘AppDomain Manager Injection: New Techniques For Red Teams’, Rapid7,\r\nhttps://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ (5th May 2023)\r\n16 GitHub, ‘netbiosX/GhostLoader’, https://github.com/netbiosX/Ghostloader\r\n17 Excel-DNA, ‘Excel-DNA’, https://excel-dna.net/\r\n18 CTO-TIB-20210730-01A - Eat, Sleep, Liderc, Repeat\r\n19  https://www.proofpoint.com/uk/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media\r\nSource: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malwar\r\ne.html\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" ], "report_names": [ "yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c84a1b71501cae8b2abe2cb568e4d4b75e960351.pdf", "text": "https://archive.orkl.eu/c84a1b71501cae8b2abe2cb568e4d4b75e960351.txt", "img": "https://archive.orkl.eu/c84a1b71501cae8b2abe2cb568e4d4b75e960351.jpg" } }