{ "id": "77a91978-b9b4-4c09-ab59-1808ab5e7aec", "created_at": "2026-04-06T00:15:38.198666Z", "updated_at": "2026-04-10T03:33:23.696263Z", "deleted_at": null, "sha1_hash": "f5d7c8eded3c4bc69a2de4282924d29acb74d2e4", "title": "Liderc (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38907, "plain_text": "Liderc (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:11:34 UTC\r\nwin.liderc (Back to overview)\r\nLiderc\r\naka: LEMPO\r\nActor(s): Tortoiseshell\r\nThere is no description at this point.\r\nReferences\r\n2022-03-30 ⋅ Recorded Future ⋅ Insikt Group\r\nSocial Engineering Remains Key Tradecraft for Iranian APTs\r\nLiderc pupy\r\n2021-07-28 ⋅ Proofpoint ⋅ Crista Giering, Joshua Miller, Michael Raggi\r\nI Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona\r\nLiderc SysKit\r\n2021-07-15 ⋅ Facebook ⋅ David Agranovich, Mike Dvilyanski\r\nTaking Action Against Hackers in Iran\r\nLiderc SysKit\r\n2019-09-24 ⋅ Cisco Talos ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer\r\nHow Tortoiseshell created a fake veteran hiring website to host malware\r\nLiderc SysKit\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.liderc\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc" ], "report_names": [ "win.liderc" ], "threat_actors": [ { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434538, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5d7c8eded3c4bc69a2de4282924d29acb74d2e4.pdf", "text": "https://archive.orkl.eu/f5d7c8eded3c4bc69a2de4282924d29acb74d2e4.txt", "img": "https://archive.orkl.eu/f5d7c8eded3c4bc69a2de4282924d29acb74d2e4.jpg" } }