Imperial Kitten

Imperial Kitten Targets Tech and Transport in New Cyberattacks

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, is a threat actor associated with the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces.


The group has been active since at least 2017, conducting cyberattacks across various sectors, including defense, technology, telecommunications, maritime, energy, consulting, and professional services.

Recently, cybersecurity researchers discovered a new campaign by Imperial Kitten targeting transportation, logistics, and technology firms. The attacks, observed in October 2023, utilized phishing emails with a ‘job recruitment’ theme, carrying a malicious Microsoft Excel attachment. Once opened, the malicious macro code extracted batch files for persistence through registry modifications and executed Python payloads for reverse shell access.

Imperial Kitten employed tools like PAExec for remote process execution, NetScan for network reconnaissance, and ProcDump to obtain credentials from system memory. Communication with the command and control (C2) server was facilitated through custom malware, including IMAPLoader and StandardKeyboard, both relying on email for information exchange. StandardKeyboard persisted on compromised machines as the Windows Service Keyboard Service, executing base64-encoded commands received from the C2.

CrowdStrike confirmed that the October 2023 attacks targeted Israeli organizations in the aftermath of the Israel-Hamas conflict. In previous campaigns between 2022 and 2023, Imperial Kitten used watering hole attacks, compromising Israeli websites to collect information about visitors. Some victims received the IMAPLoader malware, introducing additional payloads.

The threat intelligence teams at both CrowdStrike and PricewaterhouseCoopers (PwC) have provided indicators of compromise (IoCs) for the malware and adversary infrastructure used in these observed attacks.