G1012 CURIUM
CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.1
| Item | Value |
|---|---|
| ID | G1012 |
| Associated Names | |
| Version | 1.0 |
| Created | 13 January 2023 |
| Last Modified | 12 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | CURIUM has exfiltrated data from a compromised machine.1 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.001 | Social Media Accounts | CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.003 | Spearphishing via Service | CURIUM has used social media to deliver malicious files to victims.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | CURIUM has lured users into opening malicious files delivered via social media.1 |