Tortoiseshell  (Back to overview)

aka: Crimson Sandstorm, IMPERIAL KITTEN, Imperial Kitten, TA456, Yellow Liderc

A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.

Associated Families
win.imap_loader win.liderc win.syskit

2023-11-09CrowdStrikeCounter Adversary Operations
IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations
2022-03-30Recorded FutureInsikt Group
Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2021-07-28ProofpointCrista Giering, Joshua Miller, Michael Raggi
I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
Liderc SysKit
2021-07-15FacebookDavid Agranovich, Mike Dvilyanski
Taking Action Against Hackers in Iran
Liderc SysKit
2019-09-25Twitter (@QW5kcmV3)Andrew Thompson
Tweet on APT35 activity
2019-09-24DARKReadingKelly Jackson Higgins
Iranian Government Hackers Target US Veterans
SysKit Tortoiseshell
2019-09-24Cisco TalosJungsoo An, Paul Rascagnères, Warren Mercer
How Tortoiseshell created a fake veteran hiring website to host malware
Liderc SysKit
2019-09-18SymantecSecurity Response Attack Investigation Team
Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
SysKit Tortoiseshell

Credits: MISP Project