Imperial Kitten

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other related malware families. CrowdStrike Intelligence attributes these activities to Imperial Kitten, having analyzed several malware samples associated with the group's operations. This group, which is suspected to have ties to Iran, is known for its focus on IT service providers, but it has also expanded its tactics to include watering-hole attacks and spear phishing. The group has demonstrated sophisticated social engineering techniques, such as masquerading as part of the "Bring Them Home Now" movement—an Israeli-led effort calling for the return of hostages kidnapped by Hamas. Furthermore, they've spoofed major brands like Boeing and DJI in fake job offers meant to redirect targets to websites that enable backdoor deployment and credential exfiltration. Notably, the infrastructure described by Mandiant overlaps with hacking groups dubbed Tortoiseshell and Imperial Kitten. Imperial Kitten has been conducting cyberespionage operations using custom and off-the-shelf malware, as noted by PwC. It is one among several national threat actors, including APT 28 (Russia), Kimusky (North Korea), and Aquatic Panda and Maverick Panda (China), observed to be benefitting from a variety of OpenAI capabilities. These include open source research, identifying potential targets, code creation and resolving coding errors, vulnerability research, and translating foreign technical papers. The group is believed to be linked to the activities of the Cotton Sandstorm and Crimson Sandstorm threat actors, highlighting the complex and interconnected nature of modern cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Yellow Liderc
2
Yellow Liderc, also known as Imperial Kitten, Tortoiseshell, TA456, and Crimson Sandstorm, is a threat actor with malicious intent. This group has been active since 2022, engaging in cyber espionage against maritime, shipping, and logistics companies primarily in the Mediterranean region. Their meth
Unc1549
2
UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have
Tortoiseshell
2
Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
Crimson Sandstorm
2
Crimson Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran, has been identified as a significant threat actor in the cybersecurity landscape. This entity, potentially connected to the Islamic Revolutionary Guard Corps and active since at least 2017, targets victims across diverse se
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Crowdstrike
Lateral Move...
State Sponso...
Espionage
Apt
Exploit
Rat
Discord
Google
Iran
Israeli
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tortoiseshell GroupUnspecified
2
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Imperial Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
3 months ago
Report Says Iranian Hackers Targeting Israeli Defense Sector
CERT-EU
3 months ago
Global AI Developers Need to Set Some Standards – Now
DARKReading
4 months ago
Iran's 'Cyber Centers' Dodge Sanctions to Sell Cyber Operations
InfoSecurity-magazine
6 months ago
Iran-Affiliated Group Targets Israeli Firms Amid Israel-Hamas Conflict
CERT-EU
3 months ago
Middle East subjected to suspected Iranian state-backed cyberespionage attacks
CERT-EU
6 months ago
Iran’s role in Israel-Hamas war largely 'opportunistic'
CERT-EU
3 months ago
Iran hacking group impersonates defense firms, hostage campaigners
BankInfoSecurity
6 months ago
Iranian Hackers Target Israeli Logistics and IT Companies
CERT-EU
3 months ago
Report Says Iranian Hackers Targeting Israeli Defense Sector
CERT-EU
6 months ago
Israel subjected to Charming Kitten attacks
CrowdStrike
6 months ago
IMPERIAL KITTEN Deploys Novel Malware Families
CERT-EU
6 months ago
Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors
CERT-EU
6 months ago
Iranian hackers launch malware attacks on Israel’s tech sector
CERT-EU
6 months ago
IMPERIAL KITTEN Deploys Novel Malware Families
CERT-EU
3 months ago
Iran hacking group impersonates defense firms, hostage campaigners | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
3 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
6 months ago
Imperial Kitten APT Claws at Israeli Industry with Multiyear Spy Effort
CERT-EU
6 months ago
Ukraine's power grid targeted by Sandworm hackers last year
DARKReading
3 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms