Crimson Sandstorm

Threat Actor updated 7 months ago (2024-05-04T20:23:15.429Z)
Download STIX
Preview STIX
Crimson Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran, has been identified as a significant threat actor in the cybersecurity landscape. This entity, potentially connected to the Islamic Revolutionary Guard Corps and active since at least 2017, targets victims across diverse sectors including defense, maritime shipping, transportation, healthcare, and technology. Crimson Sandstorm, also known as CURIUM, has utilized AI services to generate phishing emails, code snippets, and develop code to evade detection mechanisms. The group has been notably using Microsoft's AI services, leveraging OpenAI’s ChatGPT, which forms the basis for Microsoft’s Copilot. The group's malicious activities include deploying new IMAPLoader malware attacks and launching watering hole attacks. These tactics facilitate the distribution of the IMAPLoader malware and are part of a broader Iranian state-sponsored advanced persistent threat operation, which includes other aliases such as Tortoiseshell, TA456, Imperial Kitten, and Yellow Liderc. Crimson Sandstorm has been using AI to support scripting related to app and web development, generate content likely for spear-phishing campaigns, and research common ways for malware to evade detection. In response to these threats, OpenAI has partnered with Microsoft Threat Intelligence to counteract state-backed hacking organizations, including Crimson Sandstorm. As part of their efforts, they have disrupted hacking attempts from five state-affiliated malicious actors, including Charcoal Typhoon and Salmon Typhoon (China), Crimson Sandstorm (Iran), Emerald Sleet (North Korea), and Forest Blizzard (Russia). Despite the sophisticated use of AI by these groups, no substantial advances in evasion techniques or supercharged coding have been observed yet.
Description last updated: 2024-05-04T17:48:38.552Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CURIUM is a possible alias for Crimson Sandstorm. Curium, also known as Crimson Sandstorm, is an Iranian threat actor group that has been meticulously targeting users over time. Unlike other threat actors who commonly utilize phishing emails, Curium employs a unique approach by creating a network of fictitious social media accounts to build trust w
2
Imperial Kitten is a possible alias for Crimson Sandstorm. Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
State Sponso...
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Crimson Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
Securityaffairs
9 months ago
DARKReading
10 months ago
MITRE
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago