HOMETHREATSTortoiseshell
APT / THREAT GROUP🕵️ ESPIONAGE

Tortoiseshell

🇮🇷Iran-attributed
1
campaigns
10
aliases
Last seen:Mar 17, 2026

Intelligence Profile

A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.

The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.

Threat Analysis

Tortoiseshell is a known-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Known Campaigns

Tortoiseshell — Active Operations March 2026

Tortoiseshell is a unknown-motivation threat actor attributed to Iran. A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Origin🇮🇷 Iran
Aliases10
SourceMalpedia

Also Known As

Smoke SandstormTortoiseshellCuboid SandstormTA456Yellow LidercCURIUMIMPERIAL KITTENImperial KittenCrimson SandstormDUSTYCAVE

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.