Crimson Sandstorm / Imperial Kitten / Tortoiseshell

Crimson Sandstorm (also tracked as Imperial Kitten, Tortoiseshell, and TA456) is an IRGC-affiliated Iranian threat group specializing in watering hole attacks and supply chain compromise. The group primarily targets the defense industrial base, aerospace, and IT service providers with the goal of accessing defense-related intelligence.

Attribute	Detail
Names	Crimson Sandstorm / Imperial Kitten / Tortoiseshell
Attribution	Iran (IRGC)
Active Since	2017
Primary Focus	Watering hole attacks, supply chain targeting. Defense industrial base targeting.

Overview

Attribution

Crimson Sandstorm / Imperial Kitten / Tortoiseshell is attributed to Iran (IRGC), active since at least 2017. Watering hole attacks, supply chain targeting. Defense industrial base targeting.

Notable Campaigns

Defense industrial base watering hole campaigns
IT service provider supply chain compromise
Social media-based social engineering (fake personas)
Aerospace sector targeting across US and Middle East
IMAPLoader malware deployment campaigns (2023)

MITRE ATT&CK Mapping

Technique ID	Technique	Confidence
`T1189`	Drive-by Compromise	High
`T1195`	Supply Chain Compromise	High
`T1059`	Command and Scripting Interpreter	High
`T1071`	Application Layer Protocol	High
`T1566`	Phishing	High

Detection & Defense

Recommended Defenses

Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for Crimson Sandstorm activity patterns.

Mjolnir Security — Threat Intelligence & Response

Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting Crimson Sandstorm TTPs in your environment.

Threat Hunting Incident Response Threat Intelligence SOC-as-a-Service

mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875