Cyber Resilience

Threat actor · all actors

CURIUMG1012 state

🇮🇷 IR

aka CURIUM, Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc

Last updated: 2026-07-03

0attributed CVEs
29ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-416 / 2955%
SI-314 / 2948%
CM-213 / 2945%
CM-613 / 2945%
CA-712 / 2941%
AC-411 / 2938%
SC-711 / 2938%
AC-610 / 2934%
AC-29 / 2931%
AC-38 / 2928%
SC-447 / 2924%
SI-27 / 2924%
SI-87 / 2924%
IA-96 / 2921%
SI-106 / 2921%

Co-occurring actors

None.

Similar actors

Same nation-state