Iranian Cyber Group Imperial Kitten Attacks Middle East

Imperial Kitten

In October 2023, against the backdrop of increased Iranian cyber activity following the outbreak of active confrontation between Israel and Palestine, a series of cyberattacks took place on the transportation, logistics, and technology sectors of the Middle East, including Israel.

These attacks, according to CrowdStrike, were carried out by a group with Iranian ties known as Imperial Kitten. The group is also known by other names, including Crimson Sandstorm, TA456, Tortoiseshell, and Yellow Liderc.

According to CrowdStrike’s technical report, the activity of this group, which has been active since 2017, is likely linked to the intelligence operations of the IRGC. Imperial Kitten’s primary method is the use of social engineering, specifically the use of fake job offers to deliver malicious .NET programs.

The group’s attacks are characterized by the use of compromised websites, mainly Israeli, to profile visitors using specialized JavaScript code. Visitor information is redirected to domains controlled by the attackers. In addition, the group uses vulnerabilities, credential theft, phishing, and attacks on IT providers to gain initial access.

As part of its phishing campaigns, Imperial Kitten uses Microsoft Excel documents with embedded macros to activate the infection and install a Python shell associated with a specific IP address. Once inside the system, the attackers use PAExec and NetScan tools to move around the network and deliver the malicious programs IMAPLoader and StandardKeyboard.

StandardKeyboard functions by posing as a Windows system service called “Keyboard Service,” executing commands encoded in Base64 received via email. In addition, Imperial Kitten attacks also use a remote access trojan (RAT) controlled through Discord.

Microsoft notes that after the outbreak of open confrontation between Israel and Palestine on October 7, 2023, Iranian cyber groups have become increasingly active. They use any opportunity to attack, and they also deliberately exaggerate the successes of their activities by publicizing them on social platforms to amplify the effect.