Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ CURIUM

🌐CURIUM

🌐 CURIUM is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 19 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1012) ↗
14Use cases
0Articles
19Techniques
0IOCs

About this actor (MITRE)

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential

Known aliases

CURIUMCrimson SandstormTA456Tortoise ShellYellow Liderc

Top techniques

T1005 · Data from Local SystemT1041 · Exfiltration Over C2 ChannelT1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

All other tracked techniques

T1059.001 · PowerShellT1082 · System Information DiscoveryT1124 · System Time DiscoveryT1189 · Drive-by CompromiseT1204.002 · Malicious FileT1505.003 · Web ShellT1566.001 · Spearphishing AttachmentT1566.003 · Spearphishing via ServiceT1583.001 · DomainsT1583.003 · Virtual Private ServerT1583.004 · ServerT1584.006 · Web ServicesT1585.001 · Social Media AccountsT1585.002 · Email AccountsT1598.003 · Spearphishing LinkT1608.004 · Drive-by Target

Detection use cases (14)

CURIUM/TA456 long-grooming spearphishing → Office-spawned scripting host within minutes of first-contact email AI · profile S Tortoiseshell (CURIUM) IIS web-shell on compromised IT service provider — w3wp.exe spawning recon commands AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match