An Iranian-affiliated gang is at the center of cyberattacks on the Middle East’s technological, logistics, and transportation industries, especially Israel. These attacks are linked by CrowdStrike to a threat actor called Imperial Kitten, which is also known by the names Crimson Sandstorm (previously Curium), Tortoiseshell, and Yellow Liderc. The latest findings from CrowdStrike supplement previous reports from PwC, Mandiant, and ClearSky. In the latter, examples of strategic web breaches—also referred to as watering hole attacks—that resulted in the installation of IMAPLoader on hacked computers were described.
The adversary, which has been active since at least 2017, is thought to support Iranian strategic intelligence needs related to IRGC activities, according to CrowdStrike’s technical analysis. The way the group operates is by using social engineering, with information related to job recruitment, to distribute personalized.NET implants. The attack chains leverage hijacked websites, particularly those associated with Israel, to identify visitors with custom JavaScript code, which is then exfiltrated to attacker-controlled domains. Imperial Kitten is accused of using a number of strategies in addition to watering hole assaults, such as phishing, one-day exploits, credentials theft, and targeting upstream IT service providers for first access.
The adversary’s phishing attacks make use of Microsoft Excel documents that have macros embedded in them. These macros function as the start of the infection chain, causing a Python-based reverse shell to be launched and connected to a predefined IP address in order to receive additional commands.
Notable post-exploitation actions after a successful infiltration include lateral movement made possible by programs like NetScan and PAExec, the open-source version of PsExec. The delivery of the standard keyboard and IMAPLoader implants aligns with this.
Since the war began on October 7, 2023, Microsoft has seen that harmful cyber activity ascribed to Iranian forces is increasingly opportunistic and reactive. Microsoft claims that Iranian operators continue to use their tried-and-true strategies, particularly in inflating the effectiveness of their cyberattacks and promoting these assertions and actions via a coordinated information operations deployment.
Read also:
- Cloudzy: Iranian Company Accused of Helping Cybercriminals and Nation-State Hackers
- China-Linked Hackers Hit 17 Nations in 3 Years
- Lazarus Group Targets Spanish Aerospace Firm
- WhatsApp Accounts on Counterfeit Phones Are Being Hacked Using Backdoors
Abdul Wahab 
