Tortoiseshell, an Iranian threat actor, has been identified as the source of a new series of watering hole attacks aimed at delivering a malware called IMAPLoader. IMAPLoader is a .NET malware that can profile victim systems using native Windows tools. It serves as a downloader for additional payloads and communicates via email as a command and control channel, executing payloads from email attachments through new service deployments. This group has been active since at least 2018 and has a history of compromising strategic websites to facilitate malware distribution. In the past, it has been linked to the breach of websites associated with shipping, logistics, and financial services companies in Israel. Tortoiseshell is associated with the Islamic Revolutionary Guard Corps (IRGC) and is known by other names such as Crimson Sandstorm (previously Curium), Imperial Kitten, TA456, and Yellow Liderc, as recognized by the broader cybersecurity community.

Between 2022 and 2023, a series of attacks has been observed involving the insertion of malicious JavaScript code into compromised legitimate websites. The purpose of these attacks is to collect additional information about visitors, including their location, device details, and visit timestamps.
The main targets of these intrusions have been the maritime, shipping, and logistics sectors in the Mediterranean region. In some instances, if the victim is considered high-value, the attackers deploy IMAPLoader as a subsequent payload.

IMAPLoader is considered a replacement for a Python-based IMAP implant previously used by Tortoiseshell in late 2021 and early 2022, primarily due to functional similarities.
The malware serves as a downloader for subsequent payloads by accessing predefined IMAP email accounts. It specifically checks a mailbox folder misspelled as "Recive" to retrieve executables from message attachments.

In an alternative attack scenario, an initial vector is a Microsoft Excel decoy document, triggering a multi-stage process to deliver and execute IMAPLoader. This indicates that the threat actor is employing diverse tactics and techniques to achieve its strategic objectives.
Additionally, PwC has identified phishing sites created by Tortoiseshell. Some of these sites target the travel and hospitality sectors in Europe, aiming to harvest credentials through fake Microsoft sign-in pages.

Tortoiseshell continues to pose an active and persistent threat to various industries and countries. These include the maritime, shipping, and logistics sectors in the Mediterranean, as well as the nuclear, aerospace, and defense industries in the U.S. and Europe, along with IT managed service providers in the Middle East, as noted by PwC.