Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

Oct 26, 2023NewsroomCyber ​​Threat / Malware

Malware Attacks on IMAPLoader

The Iranian threat actor known as Tortoise shell attributed to a new wave of watering hole attacks designed to deploy a malware called IMAPLoader.

“IMAPLoader is a .NET malware capable of fingerprinting victim systems using native Windows utilities and acting as a downloader for additional payloads,” PwC Threat Intelligence SAYS in an analysis on Wednesday.

“It uses email as a (command-and-control) channel and is able to execute payloads extracted from email attachments and executed through new service deployments.”


Active since at least 2018, Tortoiseshell has a history of using strategic website compromises as a ploy to facilitate the distribution of malware. In May, ClearSky linked the breach group to eight websites related to shipping, logistics, and financial services companies in Israel.

The threat actor is aligned with the Islamic Revolutionary Guard Corps (IRGC) and is also tracked by the wider cybersecurity community under the names Crimson Sandstorm (formerly Curium), Imperial Kitten, TA456, and Yellow Liderc.

Malware Attacks on IMAPLoader

The latest set of attacks between 2022 and 2023 required embedding malicious JavaScript into compromised legitimate websites to obtain additional details about visitors, including their location, device information , and visit time.

These intrusions are mainly focused on the maritime, shipping and logistics sectors of the Mediterranean, in some cases leading to the deployment of IMAPLoader as a follow-on payload if the victim is considered a high-value target.

IMAPLoader is said to be a replacement for a Python-based IMAP implant Tortoiseshell used previously in late 2021 and early 2022, due to functional similarities.


The malware acts as a downloader for next-stage payloads by querying the hard-coded IMAP email accountsspecifically checking a mailbox folder with the misspelled “Recive” to remove executables from message attachments.

In an alternate attack chain, a Microsoft Excel decoy document is used as the initial vector to start a multi-stage process to deliver and execute IMAPLoader, indicating that the threat actor uses different tactics and techniques to accomplish its strategic goals. .

PwC said it also discovered phishing sites created by Tortoiseshell, some of which were aimed at the travel and hospitality sectors within Europe, to conduct credential harvesting using fake landing pages. Sign-in to Microsoft.

“This threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping, and logistics sectors within the Mediterranean; nuclear, aerospace, and defense industries in the US and Europe; and IT managed service providers in the Middle. East,” said PwC.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment