CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[1]

ID: G1012
Associated Groups: Crimson Sandstorm, TA456, Tortoise Shell
Version: 2.0
Created: 13 January 2023
Last Modified: 17 April 2024

Associated Group Descriptions

Name Description
Crimson Sandstorm




Tortoise Shell


Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

CURIUM has exfiltrated data from a compromised machine.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.[1]

Enterprise T1566 .003 Phishing: Spearphishing via Service

CURIUM has used social media to deliver malicious files to victims.[1]

Enterprise T1204 .002 User Execution: Malicious File

CURIUM has lured users into opening malicious files delivered via social media.[1]