Skip to content


CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.1

Item Value
ID G1012
Associated Names
Version 1.0
Created 13 January 2023
Last Modified 12 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System CURIUM has exfiltrated data from a compromised machine.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.1
enterprise T1566 Phishing -
enterprise T1566.003 Spearphishing via Service CURIUM has used social media to deliver malicious files to victims.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File CURIUM has lured users into opening malicious files delivered via social media.1