apt / nation-state / irgc / espionage / social engineering

TA456 / Imperial Kitten

also known as: Tortoiseshell Crimson Sandstorm Yellow Liderc UNC1549 DustyCave

One of the Iranian threat ecosystem's most patient social engineers — documented spending multiple years cultivating a single fake persona ("Marcella Flores," an aerobics instructor from Liverpool) across Facebook, Instagram, and email chains before deploying the LEMPO malware against a specific US aerospace defense contractor employee. TA456, affiliated with Iran's IRGC via the company Mahak Rayan Afraz, targets defense contractors, aerospace firms, maritime organizations, and IT providers across the US, UK, Middle East, and Israel, with operations escalating significantly following the October 7, 2023 Israel-Hamas conflict.

attributed origin Iran — IRGC affiliation via Mahak Rayan Afraz (MRA)

confirmed sponsor Islamic Revolutionary Guard Corps (IRGC) — intelligence requirements

first observed 2017 (active); 2018 (formally documented in IT provider attacks)

primary motivation Espionage — defense, aerospace, military intelligence for IRGC operations

primary targets Defense contractors, aerospace, maritime, IT providers — US, Israel, Saudi Arabia, UAE, UK

defining characteristic Multi-year fake persona cultivation; supply chain targeting through smaller subsidiaries

irgc company link Mahak Rayan Afraz (MRA) — Iranian IT company with documented IRGC ties

target regions US, Israel, Saudi Arabia, UAE, UK, Europe (travel/hospitality); Albania, India, Turkey (expanding)

threat level High — sustained multi-year patience; evolving toolset; IRGC mandate

Overview

TA456 — tracked by CrowdStrike as Imperial Kitten, by Microsoft as Crimson Sandstorm (previously Curium), by Proofpoint as TA456, and by Mandiant as UNC1549 — is an Iranian cyber-espionage actor aligned with the Islamic Revolutionary Guard Corps (IRGC). The group was linked to the IRGC through its association with Mahak Rayan Afraz (MRA), an Iranian IT company, based on Facebook's July 2021 attribution analysis concurred with by Proofpoint. The group has operated since at least 2017 and first came to broader public attention in 2018 through attacks on IT providers in Saudi Arabia, where it achieved domain administrator-level access to at least 11 organizations in a supply chain attack pattern.

The group is distinguished within the Iranian threat ecosystem by the extraordinary patience of its social engineering operations. Where many APT actors spend days or weeks building phishing pretexts, TA456 has documented spending years maintaining a single fake identity — uploading photos to a Facebook profile as early as 2018, befriending a target in 2019, maintaining active correspondence across email and social platforms through 2020, and only attempting to deliver malware in June 2021. This patience reflects the group's operational philosophy: target selection is deliberate, rapport is built genuinely over time, and the moment of exploitation is carefully chosen to maximize the probability of the target engaging with a malicious document within an established, trusted communication channel.

TA456's targeting reflects IRGC intelligence priorities. The group focuses on individuals and organizations with access to information relevant to Iranian strategic interests — particularly those supporting US and allied military and aerospace efforts in the Middle East. A documented preference for targeting smaller subsidiaries and subcontractors of major defense primes reflects a supply chain approach: smaller organizations typically have weaker security postures than their parent companies but may have access to sensitive data or network connectivity that makes them valuable staging points for further intrusion.

Since the onset of the Israel-Hamas conflict in October 2023, TA456/Imperial Kitten has significantly intensified operations against Israeli targets. CrowdStrike documented October 2023 attacks against Israeli transportation, logistics, and technology companies deploying IMAPLoader and StandardKeyboard. Mandiant (as UNC1549) documented sustained operations through February 2024 targeting Israeli and UAE aerospace, aviation, and defense organizations using Azure-hosted infrastructure and the MINIBIKE and MINIBUS backdoors, with lures themed around Israeli-Palestinian conflict content and defense job postings.

attribution note

TA456, Imperial Kitten, Tortoiseshell, Crimson Sandstorm, Yellow Liderc, and UNC1549 all refer to overlapping activity attributed to the same IRGC-aligned actor, though some vendors track slight variations in the cluster. Proofpoint notes that while TA456 activity overlaps with Tortoiseshell and Imperial Kitten, it maintains them as separately tracked designations. This profile treats all as the same underlying operational entity given the documented infrastructure and TTP overlaps.

Target Profile

TA456's targeting is driven by IRGC intelligence requirements — specifically, the need for insight into the aerospace and defense capabilities of Iran's regional adversaries and their Western backers.

US defense contractors and aerospace firms: The Marcella Flores operation targeted a supply chain manager at a subsidiary of a US aerospace defense contractor. The target's role — supply chain management — is consistent with TA456's documented preference for targeting business and IT-related individuals within defense organizations rather than direct technical targets. Proofpoint noted the "Marcella" persona was also connected to multiple other individuals identifying themselves as defense contractor employees.
IT providers in Saudi Arabia and the broader Middle East: Tortoiseshell's 2018 campaign targeted at least 11 Saudi IT providers, achieving domain administrator access in several cases. The goal was supply chain compromise: by owning the IT providers, the group could access the providers' customers across government, defense, and critical infrastructure.
Israeli organizations — maritime, logistics, transportation, technology: CrowdStrike and PwC documented watering hole attacks on Israeli websites between 2022 and 2023, profiling visitors and selectively deploying IMAPLoader to high-value targets in the maritime, shipping, and logistics sectors. Attacks intensified following October 7, 2023, targeting Israeli logistics and tech firms.
Aerospace and defense in Israel, UAE, and globally: Mandiant/UNC1549 documented sustained operations from June 2022 through at least February 2024 against aerospace, aviation, and defense entities in Israel and the UAE, with potential activity against similar sectors in Albania, India, and Turkey.
European travel and hospitality sector: PwC documented credential-harvesting phishing sites targeting travel and hospitality organizations in Europe using fake Microsoft login pages — a distinct targeting thread from the defense focus, possibly for access to travel intelligence supporting IRGC operational activity.
Nuclear, energy, and consulting sectors: PwC assessed that TA456 remains an active threat to nuclear, aerospace, and defense industries in the US and Europe and to IT managed service providers in the Middle East.

Tactics, Techniques & Procedures

TA456's TTP profile has evolved across three discernible phases: the 2018–2021 social engineering and LEMPO phase focused on US defense contractors; the 2022–2023 watering hole and IMAPLoader phase focused on Israeli maritime and logistics; and the post-October 2023 escalation phase using Azure infrastructure and MINIBIKE/MINIBUS against Israeli and regional aerospace and defense targets.

mitre id	technique	description
T1585.001	Establish Accounts: Social Media Accounts	Multi-year cultivation of fake social media personas (documented example: "Marcella Flores" on Facebook, Instagram). Profile photo uploads beginning 2018; active target engagement from 2019 through 2021 across social platforms and corporate email. The persona posed as an aerobics instructor from Liverpool, UK.
T1566.001	Phishing: Spearphishing Attachment	Malware delivered through established, ongoing email correspondence chains to maximize target trust and click probability. Malicious Excel document containing a macro delivered the LEMPO VBS payload. Post-2023 campaigns use job-themed Excel attachments targeting Israeli organizations. Phishing emails exploit Israel-Hamas conflict content as lures.
T1189	Drive-by Compromise — Watering Hole	Between 2022 and 2023, TA456/Imperial Kitten compromised legitimate Israeli websites and embedded JavaScript that collected visitor information — browser data, IP address, device type, visit timestamp — to profile potential targets. Victims assessed as high-value subsequently received IMAPLoader as a follow-on payload.
T1078	Valid Accounts — VPN Credential Theft	Stolen credentials used to authenticate to VPN appliances for initial network access, documented in Imperial Kitten's Israeli targeting campaigns. Credential phishing sites targeting Microsoft authentication are used alongside VPN credential theft.
T1071.003	Application Layer Protocol: Mail Protocols	IMAPLoader and StandardKeyboard both use email protocols (IMAP) for command-and-control communication, sending commands via email body content and receiving results via email response. This is a deliberate C2 obfuscation technique — IMAP traffic is common in enterprise environments and does not trigger typical C2 detection signatures for HTTP/HTTPS beaconing.
T1053.005	Scheduled Task/Job: Windows Service	StandardKeyboard persists on infected machines as a Windows service named "Keyboard Service," using a legitimate-sounding service name to evade casual review of the Windows service list. Executes Base64-encoded commands received via the IMAP C2 channel.
T1574.014	Hijack Execution Flow: AppDomainManager Injection	IMAPLoader is distributed as a dynamic link library loaded via AppDomainManager injection — a technique that hijacks .NET application domain initialization to load malicious code within the context of a legitimate .NET application process, making the malware harder to identify through process-based detection.
T1567	Exfiltration Over Web Service	LEMPO exfiltrates collected reconnaissance data to an attacker-controlled email account via SMTPS using Microsoft's Collaboration Data Objects (CDO). MINIBIKE supports data exfiltration to attacker-controlled Azure infrastructure. Cloud platforms (Dropbox, Google Drive) have also been documented as payload hosting and data exfiltration channels.
T1070.004	Indicator Removal: File Deletion	LEMPO deletes that day's host artifacts after completing reconnaissance and exfiltration — a deliberate anti-forensics step that removes evidence of the malware's execution from the compromised machine, complicating incident response and attribution.
T1083	File and Directory Discovery	LEMPO performs extensive host reconnaissance using built-in Windows commands: collecting date/time, computer name, system information, drive listing, installed applications, firewall rules, IP configuration, user account details, and domain membership. Output is saved to a host file before exfiltration, providing a comprehensive target profile for subsequent supply chain attack planning.

Known Campaigns

Saudi Arabia IT Provider Supply Chain Attack Jul 2018 — 2019

Tortoiseshell's first documented major campaign. The group targeted at least 11 IT providers in Saudi Arabia using a combination of custom and commodity malware. In several cases the group achieved domain administrator-level access to the target networks. The objective was supply chain compromise — by owning the IT providers, the group could reach their government, defense, and critical infrastructure customers. This campaign established the group's foundational supply chain attack methodology that it has applied in subsequent targeting.

"Marcella Flores" — Aerospace Defense Contractor Social Engineering 2018 — Jun 2021

The most extensively documented TA456 social engineering operation. The "Marcella Flores" Facebook profile was first used in 2018, with the first photo uploads establishing the persona's cover identity as a young aerobics instructor from Liverpool, UK. The target — a supply chain manager at a subsidiary of a US aerospace defense contractor — was befriended no later than 2019. Active correspondence across social media and corporate email continued through 2020 and into 2021. Over at least eight months of documented communication, "Marcella" sent benign messages, photographs, and a video (attempted via OneDrive URL) to build rapport and verify the persona's credibility. In early June 2021, TA456 delivered a malicious Excel macro document through the established email communication chain. The macro dropped LEMPO, which performed reconnaissance and attempted to exfiltrate data via SMTPS. Proofpoint disrupted the delivery. Facebook subsequently removed the Marcella Flores persona during its July 2021 Tortoiseshell disruption action.

Israeli Maritime and Logistics — Watering Hole and IMAPLoader 2022 — 2023

PwC documented a campaign in which Imperial Kitten/Tortoiseshell compromised Israeli websites serving the maritime, shipping, and logistics sectors, embedding JavaScript that collected visitor profile data. Visitors assessed as high-value were selectively served IMAPLoader — a .NET malware that uses IMAP email protocols for C2, replacing an older Python-based IMAP implant the group had used in 2021–2022. PwC also discovered credential-harvesting phishing sites targeting European travel and hospitality organizations using fake Microsoft authentication pages.

Post-October 7 Escalation — Israeli Transportation, Logistics, Technology Oct 2023 — Present

Following the October 7, 2023 Hamas attack on Israel, Imperial Kitten significantly intensified operations against Israeli organizations. CrowdStrike documented October 2023 phishing attacks using job-recruitment themed Excel attachments deploying IMAPLoader (loaded via AppDomainManager injection) and StandardKeyboard (persisting as the "Keyboard Service" Windows service) against Israeli logistics, transportation, and technology companies. The group also conducted watering hole attacks against Israeli websites. CrowdStrike's attribution was based on infrastructure overlaps, TTP consistency with prior campaigns, and continued IMAP-based C2 use.

UNC1549 — Aerospace and Defense in Israel, UAE, and Beyond Jun 2022 — Feb 2024+

Mandiant documented UNC1549 (overlapping with Imperial Kitten/Tortoiseshell) conducting sustained operations against aerospace, aviation, and defense organizations in Israel and the UAE, with likely related activity against similar sectors in Albania, India, and Turkey. The attack chain uses spear-phishing emails with links to websites spoofing job recruitment portals (featuring defense and technology positions) or content related to the "Bring Them Home Now" movement. Successful compromise typically results in MINIBIKE (C++ backdoor supporting data exfiltration and upload, and command execution) or MINIBUS (more compact, flexible version with VM detection anti-analysis). Both use Microsoft Azure infrastructure for C2.

Tools & Infrastructure

TA456's malware toolkit has evolved progressively — from the LEMPO reconnaissance VBS in 2021 to the IMAPLoader/StandardKeyboard pair in 2022–2023, and the MINIBIKE/MINIBUS backdoors in 2023–2024. The email-based C2 paradigm (CDO, IMAP) is a consistent theme across multiple generations of tooling.

LEMPO: A Visual Basic Script (VBS) dropped by an Excel macro. Updated version of the group's earlier Liderc malware. Establishes persistence, then performs extensive host reconnaissance using built-in Windows commands (system info, drives, installed apps, firewall rules, IP config, user details, domain membership). Saves collected data to a host file. Exfiltrates via SMTPS to an attacker-controlled email account using Microsoft Collaboration Data Objects (CDO). Covers tracks by deleting host artifacts. Shares similarities with Liderc including email exfiltration architecture and hardcoded email addresses.
IMAPLoader: A .NET-based malware distributed as a DLL loaded via AppDomainManager injection. Leverages IMAP email protocols for command-and-control — downloading additional payloads and communicating results via the email channel. First observed in September 2023. Replaces an older Python-based IMAP implant the group used in 2021–2022. Typographical errors in embedded strings suggest non-native English-speaking developers.
StandardKeyboard: A .NET malware that persists as the Windows service "Keyboard Service." Like IMAPLoader, uses IMAP email for C2. Executes Base64-encoded commands received via email body content. Unlike IMAPLoader, is specifically designed for persistence and command execution rather than payload delivery.
MINIBIKE: A C++ backdoor used by UNC1549/Imperial Kitten from at least June 2022. Supports data exfiltration or upload, command execution, and communication over Microsoft Azure infrastructure. Uses a OneDrive registry key for persistence. Beacon communications cycle over three filenames mimicking web components. Four Azure domains documented as C2 endpoints in Mandiant analysis.
MINIBUS: A more compact, flexible successor to MINIBIKE. Includes VM detection anti-analysis capabilities — checks whether it is running in a virtual machine or security analysis environment before executing. More modular architecture allows greater adaptability across targets.
Liderc / Syskit / IvizTech: Earlier-generation custom tools from the group's pre-2021 toolkit. Liderc is the documented predecessor to LEMPO, sharing email exfiltration architecture. Syskit is a backdoor. IvizTech is a remote access Trojan documented in prior campaign analysis.
Watering hole JavaScript: Custom JavaScript code embedded in compromised legitimate websites to collect visitor profiling data — browser type, IP address, device information, visit timestamp. Data is sent to attacker-controlled infrastructure for victim assessment. Used in the 2022–2023 Israeli maritime targeting campaign.
Infrastructure: Microsoft Azure for MINIBIKE/MINIBUS C2 (legitimate cloud reduces detection probability). Cloud platforms (Dropbox, Google Drive) for payload hosting and data exfiltration. Credential phishing sites spoofing Microsoft authentication pages. Job recruitment-themed decoy sites.

Indicators of Compromise

TA456/Imperial Kitten rotates infrastructure regularly and uses legitimate cloud services (Azure, OneDrive, Google Drive, Dropbox) to host payloads and conduct C2, making infrastructure-based blocking difficult. Behavioral indicators and email-protocol monitoring are more reliable detection methods.

cloud infrastructure warning

TA456 uses legitimate Microsoft Azure domains for MINIBIKE/MINIBUS C2, and legitimate services (OneDrive, Google Drive, Dropbox) for payload staging. IP and domain reputation blocking is ineffective against this approach. Detection requires behavioral analysis of process behavior and anomalous cloud API usage patterns rather than blacklisting infrastructure.

indicators of compromise — behavioral and structural

behavioral IMAP connection from an endpoint to external email servers (non-corporate IMAP) — possible IMAPLoader or StandardKeyboard C2 channel; especially anomalous from server processes or scheduled tasks

service name "Keyboard Service" — Windows service name used by StandardKeyboard for persistence; investigate any service with this name installed outside of standard OS configuration

injection AppDomainManager injection — .NET application domain hijacking used to load IMAPLoader; monitor for unexpected DLLs loaded into .NET application processes

registry OneDrive registry key modifications for MINIBIKE persistence — inspect HKCU\Software\Microsoft\OneDrive registry entries for unexpected values pointing to non-OneDrive executable paths

network Outbound SMTPS connections from user endpoints triggered by Excel macro execution — LEMPO exfiltration pattern; alert on CDO-based email sending from non-Outlook processes

file activity VBS file dropped to disk by Excel macro execution followed by Windows system enumeration commands (systeminfo, ipconfig /all, netsh advfirewall, net user) — LEMPO reconnaissance pattern

anti-analysis MINIBUS VM detection — queries for virtual machine artifacts before executing; sandbox analysis may show benign behavior if run in a VM environment

c2 pattern MINIBIKE beacon communications cycling over three filenames mimicking web components — file naming patterns include web component masquerading; Azure domain C2 (four Azure domains documented by Mandiant)

Mitigation & Defense

TA456's operations span two distinct threat surfaces: the long-duration social engineering surface (which requires personnel-level awareness and OPSEC) and the technical malware surface (which requires behavioral detection and email protocol monitoring).

Employee OPSEC and Social Media Awareness — Defense Sector Priority: TA456's "Marcella Flores" operation succeeded in building a multi-year relationship with a target before being detected. Defense contractor employees, supply chain managers, and individuals with security clearances should receive specific training on the risk of unsolicited social media connection requests from attractive, engaging profiles. Organizations should establish policies about maintaining a public-facing social media presence that identifies their employer, role, and clearance level. TA456 specifically uses LinkedIn, Facebook, Instagram, and email to identify and engage targets.
Macro Security and Office Hardening: Both LEMPO and post-2023 campaign malware are delivered via Excel macros. Disable macros organization-wide and enforce macro execution only for signed, trusted content. Group Policy should block macros in Office documents downloaded from the internet (Mark of the Web). Block VBScript execution on endpoints where not operationally required.
IMAP Protocol Monitoring on Endpoints: IMAPLoader and StandardKeyboard use IMAP email connections for C2 — a significantly less monitored protocol than HTTP/HTTPS C2. Monitor for IMAP connections originating from non-email-client processes (services, scheduled tasks, injected processes). Alert on any IMAP connections from servers or workstations that are not configured as mail clients. Block external IMAP access where not operationally required.
Windows Service Monitoring: StandardKeyboard installs as "Keyboard Service." Implement allowlisting of approved Windows services and alert on any new service installation. Specifically monitor for services with generic or plausible-but-unusual names that were not installed by known software packages.
AppDomainManager Injection Detection: IMAPLoader uses AppDomainManager injection to load into .NET application processes. Monitor for unexpected DLLs registered in .NET AppDomain configuration files (app.config or machine.config AppDomainManager entries). Alert on .NET processes loading DLLs from user-writable directories outside standard program file paths.
Watering Hole Defense — Secure Web Browsing: Imperial Kitten compromised legitimate industry websites to profile and selectively target visitors. DNS filtering and web proxy solutions that categorize and inspect JavaScript from visited pages provide partial protection. For high-risk users (defense contractors, security-cleared personnel), consider browser isolation solutions that prevent drive-by JavaScript execution from reaching the endpoint.
Supply Chain Risk Management: TA456 deliberately targets smaller subsidiaries and subcontractors of major defense primes, knowing their security posture is typically weaker than the parent. Defense prime contractors should include mandatory security requirements in contracts with subsidiaries and subcontractors, conduct security assessments of the third-party supply chain, and restrict network connectivity between subsidiaries and core corporate networks to the minimum necessary.
Credential Phishing Awareness: UNC1549/Imperial Kitten uses fake job recruitment sites and Israel-Hamas conflict-related content as phishing lures. Train employees to verify that any URL requesting Microsoft authentication genuinely originates from microsoft.com before entering credentials. Implement MFA that is resistant to phishing (FIDO2/WebAuthn), not push-based MFA which can be bypassed by prompt fatigue.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — ta456 / imperial kitten — last updated 2025-03-27