S1152: IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.[1]
Analyst context for executives and security teams
IMAPLoader matters because it turns ordinary-looking email protocol traffic into a command-and-control and payload delivery path for Windows malware. For leaders, the key issue is not only “malware on an endpoint,” but whether the organization can distinguish legitimate mail-client behavior from suspicious IMAP/SMTP/POP-style communications, correlate that with Windows persistence and execution activity, and preserve evidence fast enough for incident response.
Executive priority
Prioritize validation of coverage where email protocols, Windows endpoint telemetry, and persistence monitoring intersect. IMAPLoader is .NET-based and is officially described as leveraging email protocols for command and control and payload delivery, with ATT&CK relationships to WMI, Scheduled Tasks, Native API execution, system process modification, hidden windows, AppDomainManager abuse, system discovery, and ingress tool transfer. Executives should ask whether SOC and IR teams can prove visibility across these behaviors, especially on Windows systems where mail traffic may be allowed by default and persistence mechanisms can look administrative.
Technical view
For SOC, detection engineering, and IR teams, treat this as a Windows-focused malware coverage validation exercise centered on mail-protocol C2 plus host execution and persistence. ATT&CK provides no official detection text for IMAPLoader, so detections should be derived from the related behaviors: unusual email protocol connections from non-mail processes, .NET execution patterns, WMI activity, new or modified scheduled tasks, service or system-process changes, hidden-window execution indicators, AppDomainManager-related configuration or loading anomalies, system information discovery, and inbound tool or payload transfer. Because several related techniques are legitimate administration mechanisms, correlation is more important than single-event alerting.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships
- Command-line and script execution telemetry where available
- WMI operational and process execution logs
- Windows Scheduled Task creation, modification, and execution events
- Service or system process creation/modification telemetry
Detection direction
- Validate whether email protocol traffic can be tied back to the originating Windows process, not just the host or user account.
- Tune for unusual mail-protocol use by non-mail clients, services, scripts, or newly observed binaries, while accounting for legitimate email software and administrative tools.
- Correlate mail-protocol communication with WMI execution, scheduled task changes, service/process modification, or .NET AppDomainManager-related activity.
- Review scheduled tasks and system process changes for suspicious timing, naming, paths, and user context rather than relying only on known indicators.
- Look for discovery followed by payload transfer or persistence creation, since the related techniques suggest a chain of behaviors rather than one isolated event.
Mitigation priorities
- Confirm that Windows endpoints have sufficient logging for process execution, scheduled tasks, WMI, services, and network connections.
- Restrict and monitor unnecessary outbound mail protocols from endpoints and servers that do not require direct SMTP/POP/IMAP access.
- Harden administrative execution paths such as WMI and scheduled tasks through least privilege, change control, and review of privileged account use.
- Monitor and govern .NET application loading behavior where feasible, especially for unusual AppDomainManager-related activity on Windows systems.
- Use incident response playbooks that collect endpoint, network, and mail-protocol evidence together so C2, persistence, and payload delivery can be reconstructed.
Analyst notes and limits
MITRE identifies IMAPLoader as a .NET-based loader malware associated with CURIUM operations since at least 2022 and notes its use of email protocols for command and control and payload delivery. The relationship context expands the practical defensive scope to Windows execution, persistence, stealth, discovery, and tool transfer behaviors. This take intentionally emphasizes validation of telemetry and control coverage rather than claiming any specific customer exposure or guaranteed detection.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or malware-level tactics. Technique descriptions are relationship context and may include platforms beyond this malware object; the malware platform supplied here is Windows. Local baselines, network architecture, mail routing, endpoint logging, and permitted administrative practices are required to determine actual risk and detection quality.
IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543 | Create or Modify System Process | IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1106 | Native API | IMAPLoader imports native Windows APIs such as `GetConsoleWindow` and `ShowWindow`.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1047 | Windows Management Instrumentation | IMAPLoader uses WMI queries to query system information on victim hosts.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1082 | System Information Discovery | IMAPLoader uses WMI queries to gather information about the victim machine.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | IMAPLoader hides the Windows Console window created by its execution by directly importing the `kernel32.dll` and `user32.dll` libraries `GetConsoleWindow` and `ShowWindow` APIs.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1574.014 | AppDomainManager Sub-technique | IMAPLoader is executed via the AppDomainManager injection technique.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | IMAPLoader uses the IMAP email protocol for command and control purposes.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.CitationPWC Yellow Liderc 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.CitationPWC Yellow Liderc 2023 |
Groups, software, and campaigns
G1012: CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 865080aaba94… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PWC Yellow Liderc 2023
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
Open source URL -
[2]
mitre-attack S1152Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.