Iran's hackers initiate malware assaults on Israel's technology sector.

Imperial Kitten, an Iranian-linked cyber threat group, has been actively targeting transportation, logistics, and technology sectors. Also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, this actor has historically used the online persona Marcella Flores and is associated with the Islamic Revolutionary Guard Corps (IRGC), a part of Iran's Armed Forces.

Active since at least 2017, Imperial Kitten's recent attacks were identified by CrowdStrike, who connected these activities based on infrastructure similarities, tactics, and tools previously observed. The group's recent phishing campaigns, launched in October, utilized job recruitment themes with malicious Microsoft Excel attachments. These documents deployed batch files and Python payloads for network access and control.

Key tools used by Imperial Kitten include IMAPLoader and StandardKeyboard malware, which facilitate network persistence and communication with command and control servers via email. The group's techniques also involve lateral movement using tools like PAExec, network scanning with NetScan, and credential harvesting using ProcDump.

CrowdStrike's analysis indicated that these latest campaigns primarily targeted Israeli organizations, potentially linked to the ongoing Israel-Hamas conflict. In the past, Imperial Kitten has been involved in watering hole attacks against Israeli sites, collecting visitor data for targeting, and deploying IMAPLoader malware to introduce further payloads.

Both CrowdStrike and PricewaterhouseCoopers have provided detailed indicators of compromise for organizations to identify and defend against Imperial Kitten's attacks, highlighting the ongoing threats from this group to various industry sectors.