G1012: CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
Analyst context for executives and security teams
CURIUM matters because the ATT&CK record describes a patient social-engineering operation, not just commodity malware delivery. The group is reported to build trust with targets over months through social media, benign file exchanges, and later malware delivery, with historical targeting of Middle East IT service providers. For leaders, the practical issue is whether security controls, user reporting paths, and incident response playbooks can handle slow-burn relationship abuse that may occur outside normal email channels.
Executive priority
Prioritize CURIUM-relevant readiness where trusted relationships, IT service provider access, or third-party communications could affect business continuity. Executives should ask whether the organization can evidence controls for social media/service-based phishing, attachment handling, web-exposed server persistence, command-and-control exfiltration, and Windows malware investigation, especially where managed service or supply-chain relationships create concentrated risk.
Technical view
ATT&CK does not provide detection text for this group, so validation should be relationship-driven. SOC and IR teams should map coverage across the related behaviors: resource development using domains, VPS/server infrastructure, web services, social media accounts, and email accounts; initial access through spearphishing attachments, spearphishing via service, malicious files, and drive-by compromise; execution via PowerShell and user-opened files; persistence through web shells; discovery of system information and time; collection from local systems; and exfiltration over C2 or encrypted non-C2 protocols. IMAPLoader is listed as .NET-based malware associated with CURIUM operations since at least 2022 and using email protocols for command and control and payload delivery, so Windows endpoint, email-protocol, and network telemetry are especially important where that software is in scope.
Likely telemetry
- Email security logs for attachments, links, sender reputation, mailbox access, and delivery events
- Logs or alerts from third-party messaging, collaboration, and social media access where monitored or reported by users
- Endpoint process telemetry, especially PowerShell execution, script activity, .NET execution, and user-launched files
- Windows endpoint detection data relevant to IMAPLoader investigation
- Network telemetry for C2-like sessions, encrypted non-C2 exfiltration patterns, DNS, proxy, and egress connections
Detection direction
- Do not rely only on enterprise email controls; the ATT&CK relationships include spearphishing via third-party services and social media account preparation, which may bypass normal mail gateways.
- Tune detections for sequences rather than single events: long-running persona contact, benign file exchange, later attachment/link delivery, user execution, PowerShell, discovery, collection, and exfiltration.
- Validate PowerShell visibility and logging quality before assuming coverage for T1059.001-related execution.
- For IMAPLoader-relevant hunts, confirm visibility into Windows endpoint activity and email-protocol network usage; the supplied relationship states the malware uses email protocols for C2 and payload delivery.
- Review web-facing server monitoring for web shell indicators, including unexpected script files, unusual web requests, and command execution patterns, while accounting for legitimate administrative scripts.
Mitigation priorities
- Start with exposure and process controls for social engineering: user reporting channels, executive and high-risk user awareness, and procedures for suspicious social media or third-party service contact.
- Harden attachment and link handling across email and collaboration workflows, including detonation, policy enforcement, and rapid removal processes where available.
- Restrict and monitor PowerShell use according to administrative need, with logging sufficient for investigation.
- Strengthen egress monitoring and control for unusual email-protocol, C2-like, and encrypted outbound traffic, especially from endpoints that should not communicate that way.
- Improve web server hygiene and monitoring to reduce web shell persistence risk: patching, least privilege, file integrity monitoring, and review of exposed services.
Analyst notes and limits
This take is based on ATT&CK group G1012, its aliases, official description, external references, and listed relationships. The most decision-relevant theme is patient trust-building before malware delivery, supported by related techniques for persona/account preparation, phishing through email and services, malicious files, web shells, discovery, collection, and exfiltration. IMAPLoader is the only related software provided and is described as Windows .NET-based malware associated with CURIUM operations since at least 2022.
The group object has no official detection text, no group-level platforms, and no group-level tactics specified. Related techniques provide behavioral context but do not prove those behaviors are present in any specific environment. Local telemetry, business geography, third-party relationships, user populations, and incident evidence are required before making exposure, attribution, or coverage claims.
CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | CURIUM has used social media to deliver malicious files to victims.CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | CURIUM has been linked to web shells following likely server compromise as an initial access vector into victim networks.CitationSymantec Tortoiseshell 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | CURIUM has lured users into opening malicious files delivered via social media.CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1584.006 | Web Services Sub-technique | CURIUM has compromised legitimate websites to enable strategic website compromise attacks.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | CURIUM created virtual private server instances to facilitate use of malicious domains and other items.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1082 | System Information Discovery | CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.CitationSymantec Tortoiseshell 2019 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | CURIUM used strategic website compromise to fingerprint then target victims.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | CURIUM has used SMTPS to exfiltrate collected data from victims.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1005 | Data from Local System | CURIUM has exfiltrated data from a compromised machine.CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1124 | System Time Discovery | CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | CURIUM used malicious links to adversary-controlled resources for credential harvesting.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1189 | Drive-by Compromise | CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | CURIUM has used phishing with malicious attachments for initial access to victim environments.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.CitationSymantec Tortoiseshell 2019 |
| Enterprise | T1583.001 | Domains Sub-technique | CURIUM created domains to facilitate strategic website compromise and credential capture activities.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1583.004 | Server Sub-technique | CURIUM has created dedicated servers for command and control and exfiltration purposes.CitationPWC Yellow Liderc 2023 |
Groups, software, and campaigns
S1152: IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 3821fc6cc53c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Tortoiseshell 2019
Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.
Open source URL -
[2]
Microsoft Iranian Threat Actor Trends November 2021
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
Open source URL -
[3]
Crimson Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[4]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[5]
PWC Yellow Liderc 2023
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
Open source URL -
[6]
Proofpoint TA456 Defense Contractor July 2021
Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024.
Open source URL -
[7]
TA456
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA456 Defense Contractor July 2021)
-
[8]
Tortoise Shell
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Yellow Liderc
(Citation: PWC Yellow Liderc 2023)
-
[10]
mitre-attack G1012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.