More Bad Kittens

12293203699?profile=RESIZE_400xA cyber threat actor group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The attacks have been attributed to a threat actor it tracks under Imperial Kitten, also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.  The latest findings also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.  A watering hole is a cyberattack grounded in a bit of a betting game: Cybercriminals discern what websites their victims frequent and attack, often by infecting the site with malware.[1]

The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations, investigators said in a technical report. Its activity is characterized by using social engineering, particularly job recruitment-themed content, to deliver custom—net—based implants.

Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains. Besides watering hole attacks, evidence suggests that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.

Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.  Some notable post-exploitation activities entail achieving lateral movement through PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.


Also deployed is a remote access trojan (RAT) that uses Discord for command and control. At the same time, both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send execution results.  StandardKeyboard's primary purpose is to execute Base64-encoded commands received in the email body.  Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service."

The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on 07 October 2023 is more reactive and opportunistic. 

Link to Microsoft report:    

Iranian operators [are] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations.

This essentially creates online propaganda seeking to inflate the notoriety and impact of opportunistic attacks to increase their effects.  The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!