Crimson Sandstorm

Threat Actor updated 4 months ago (2024-05-04T20:23:15.429Z)

Download STIX

Preview STIX

Crimson Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran, has been identified as a significant threat actor in the cybersecurity landscape. This entity, potentially connected to the Islamic Revolutionary Guard Corps and active since at least 2017, targets victims across diverse sectors including defense, maritime shipping, transportation, healthcare, and technology. Crimson Sandstorm, also known as CURIUM, has utilized AI services to generate phishing emails, code snippets, and develop code to evade detection mechanisms. The group has been notably using Microsoft's AI services, leveraging OpenAI’s ChatGPT, which forms the basis for Microsoft’s Copilot. The group's malicious activities include deploying new IMAPLoader malware attacks and launching watering hole attacks. These tactics facilitate the distribution of the IMAPLoader malware and are part of a broader Iranian state-sponsored advanced persistent threat operation, which includes other aliases such as Tortoiseshell, TA456, Imperial Kitten, and Yellow Liderc. Crimson Sandstorm has been using AI to support scripting related to app and web development, generate content likely for spear-phishing campaigns, and research common ways for malware to evade detection. In response to these threats, OpenAI has partnered with Microsoft Threat Intelligence to counteract state-backed hacking organizations, including Crimson Sandstorm. As part of their efforts, they have disrupted hacking attempts from five state-affiliated malicious actors, including Charcoal Typhoon and Salmon Typhoon (China), Crimson Sandstorm (Iran), Emerald Sleet (North Korea), and Forest Blizzard (Russia). Despite the sophisticated use of AI by these groups, no substantial advances in evasion techniques or supercharged coding have been observed yet.

Description last updated: 2024-05-04T17:48:38.552Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
CURIUM	2	Curium, also known as Crimson Sandstorm, is an Iranian threat actor group that has been meticulously targeting users over time. Unlike other threat actors who commonly utilize phishing emails, Curium employs a unique approach by creating a network of fictitious social media accounts to build trust w
Imperial Kitten	2	Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

State Sponso...

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Crimson Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Microsoft, OpenAI move to fend off genAI-aided hackers — for now
CERT-EU	6 months ago	Microsoft, OpenAI move to fend off genAI-aided hackers — for now
CERT-EU	7 months ago	OpenAI, Microsoft crack down on hackers using ChatGPT \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	7 months ago	OpenAI and Microsoft Terminate State-Backed Hacker Accounts
Securityaffairs	7 months ago	Nation-state actors are using AI services and LLMs for cyberattacks
DARKReading	7 months ago	Iran's 'Cyber Centers' Dodge Sanctions to Sell Cyber Operations
MITRE	9 months ago	Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 \| Microsoft Security Blog
CERT-EU	10 months ago	Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors
DARKReading	10 months ago	Imperial Kitten APT Claws at Israeli Industry with Multiyear Spy Effort
CERT-EU	10 months ago	GHOSTPULSE malware loader deployed via fraudulent MSIX app packages
CERT-EU	10 months ago	Cybersecurity Awareness Month: Building a use policy for generative AI
CERT-EU	10 months ago	Widespread StripedFly malware framework compromise reported in Windows, Linux systems
CERT-EU	10 months ago	New federal healthcare cybersecurity toolkit unveiled
CERT-EU	10 months ago	New IMAPLoader malware attacks deployed by Iranian threat operation
CERT-EU	10 months ago	Millions install mobile adware apps on Google Play
CERT-EU	a year ago	Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry - GIXtools
CERT-EU	a year ago	Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting