>samit_hota
Back to adversary profiles
G1012HighActive

CURIUM: Patient Iranian Espionage Group

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Intelligence Gathering
Aliases
Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc
Target Sectors
IT Service Providers, Telecommunications, Government, Defense, Education, Healthcare
Associated Malware
PowerShell-based backdoors, custom backdoors (e.g., Liderc, Remexi, SysUpdate), commodity tools
#threat-actor#g1012

Overview

CURIUM, also tracked as Crimson Sandstorm, TA456, Tortoise Shell, and Yellow Liderc, is a sophisticated and patient Iranian state-sponsored threat group. First publicly reported in September 2019, their activity has been observed as early as July 2018. This group distinguishes itself through an exceptional level of patience and persistence in building relationships with targets, often over several months, before delivering any malicious payloads. Their primary motivation appears to be espionage and intelligence gathering, specifically supporting Iranian state interests.

The group’s initial focus was noted to be on IT service providers within the Middle East, a strategic choice that could grant them access to a wide array of downstream clients and sensitive data. However, their targeting has broadened to include organizations across various sectors, including government, defense, education, and healthcare, particularly those with connections to entities of interest to Iran. CURIUM’s operational tempo and consistent evolution of tactics underscore its role as a persistent threat in the cyber landscape.

Tactics & Techniques

CURIUM employs a highly methodical approach, centered heavily on social engineering and the meticulous cultivation of trust. Unlike groups that rely on rapid, high-volume phishing attacks, CURIUM engages in extensive reconnaissance and personalized communication. They frequently leverage popular social media platforms like LinkedIn, Facebook, and WhatsApp to identify and interact with potential targets. Their operatives often pose as individuals with shared professional interests or as recruiters, establishing rapport through legitimate-seeming conversations. This “human hacking” phase can last for months, during which they exchange benign files and engage in daily chats to lower the target’s security consciousness.

Once trust is established, CURIUM transitions to delivering malicious payloads, often disguised within seemingly harmless files or links. They frequently use sophisticated spearphishing techniques, sometimes delivering custom backdoors via OneDrive links or other cloud storage services. A hallmark of their operational security is the use of virtual private servers (VPS) and virtual private networks (VPN) to mask their true origin, often cycling through multiple providers and IP addresses.

The group also exhibits a strong understanding of victim environments, tailoring their attacks to specific software and configurations. They are known to exploit legitimate services for command and control (C2) communications and data exfiltration, blending their malicious traffic with normal network activity to evade detection. Their ability to adapt and refine their social engineering narratives and technical delivery methods makes them a challenging adversary to defend against.

Notable Campaigns

One of the earliest documented activities of CURIUM, under the alias Tortoise Shell, involved targeting IT service providers in Saudi Arabia, with observed activity dating back to July 2018. This campaign utilized social engineering via LinkedIn to deliver custom malware.

In a campaign reported in 2021 by Microsoft, CURIUM, also referred to as Yellow Liderc, expanded its targeting beyond the Middle East to include organizations in the US, Europe, and other regions, while maintaining a strong focus on IT, telecommunications, and government sectors. This campaign highlighted the group’s continued reliance on social engineering on LinkedIn and WhatsApp, followed by the delivery of custom backdoors.

Another notable incident saw CURIUM engaging in credential harvesting and data exfiltration from organizations in various sectors, including government, defense, and education, showcasing their consistent drive for intelligence collection. Their operations consistently demonstrate a long-term strategic objective, focusing on sustained access and data acquisition rather than disruptive attacks.

Associated Malware & Tools

CURIUM has developed and deployed a range of custom malware and also utilizes commodity tools in their operations. Their custom toolset includes backdoors like Liderc, Remexi, and SysUpdate, all designed for persistent access, reconnaissance, and data exfiltration. These backdoors are often PowerShell-based, allowing for flexibility and evasion.

Liderc, for instance, is a highly capable backdoor providing remote access and the ability to execute commands, download additional payloads, and upload stolen data. Remexi is another custom backdoor associated with the group, facilitating similar functions. SysUpdate has been observed to collect system information and maintain persistence on infected systems.

Beyond their custom implants, CURIUM also leverages legitimate tools and publicly available utilities, a common tactic for blending in with normal network activity. This includes the use of PowerShell for various tasks, as well as exploiting legitimate remote administration tools or cloud services for C2 and data staging. This blend of custom and commodity tools allows them to maintain operational flexibility and reduce their detection footprint.

Current Status

CURIUM remains an active and evolving threat actor. Recent reporting indicates their continued refinement of social engineering tactics and adaptation of their toolset. They consistently demonstrate a willingness to invest significant time in building trust with targets, indicating a high level of operational discipline and a long-term strategic outlook.

Their targeting has shown a consistent focus on organizations and individuals that can provide intelligence valuable to Iranian state interests, with an emphasis on IT service providers as a gateway to broader networks. Security researchers continue to monitor CURIUM’s activities, noting their persistence and adaptability. The group’s patient approach makes them a challenging adversary, requiring robust social engineering defenses and vigilant monitoring for subtle indicators of compromise over extended periods. Their consistent activity since 2018 suggests they are a well-resourced and strategic component of Iran’s cyber espionage capabilities.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call