Yellow Liderc: Iran-Based Threat Actor’s New Malware Sample IMAPLoader Raises the Bar in Cyber Espionage

Estimated read time 3 min read

Escalating Cyber Threats from Yellow Liderc

PwC’s recent analysis1 reveals an evolved cyber threat landscape where Yellow Liderc, an Iran-based threat actor, is heightening its cyber-espionage tactics.

Active since 2018, this actor targets a variety of sectors, from maritime to aerospace.

However, the newly discovered malware sample, IMAPLoader, indicates a significant shift in Yellow Liderc’s modus operandi, demonstrating more sophisticated techniques in their cyber arsenal.

Unmasking IMAPLoader

IMAPLoader is a .NET malware that uses advanced techniques, unlike its predecessors. It employs ‘AppDomain Manager Injection,’ a unique injection method not previously associated with Yellow Liderc.

The malware serves as a downloader and uses email for Command and Control (C2) communication. Specifically, it interacts with hardcoded Yandex email accounts, which are encoded in decimals, to extract further malicious payloads.

Infection chain to deliver and execute IMAPLoader - picture by PWC
Infection chain to deliver and execute IMAPLoader – picture by PWC

Strategic Web Compromises Amplify Risks

Yellow Liderc continues to compromise legitimate websites through malicious JavaScript injections. This tactic has been predominantly focused on the maritime, shipping, and logistics sectors.

The actor utilizes these compromised websites to infect systems that match specific fingerprints. This enables them to gain unauthorized access to the organization’s network, elevating the risk to Operational Technology (OT) systems.

Phishing Tactics Advance

Concurrent to strategic web compromises, Yellow Liderc has escalated its phishing operations. The phishing infrastructure links to compromised websites, extending beyond maritime sectors and targeting wider demographics, including the travel and hospitality sectors within Europe. In some instances, the phishing websites serve macro-enabled Excel documents that drop VBScripts, adding another layer to their complex cyber-espionage tactics.

Macro-enabled document served visiting phishing websites - Picture by PWC
Macro-enabled document served visiting phishing websites – Picture by PWC

TTPs Undergo Transformation

The actor’s evolving Tactics, Techniques, and Procedures (TTPs) are raising the stakes in cyber threat detection.

From using IMAP protocols for C2 communication to employing advanced malware injection techniques, Yellow Liderc shows an increased sophistication in its operations.

PwC recommends organizations to investigate historical logs and set up alerting systems based on the indicators provided in their report. Failure to do so may result in severe compromises, given the actor’s focus on a wide array of sectors and geographies.

The Bottom Line

The emergence of IMAPLoader signifies a pivotal moment in Yellow Liderc’s cyber espionage journey. The threat actor’s increased sophistication and multi-pronged attack methods point to a future where traditional cybersecurity measures may no longer suffice.

Yellow Liderc's cyber espionage journey
Yellow Liderc’s cyber espionage journey

As Yellow Liderc continues to refine its strategies, organizations need to accelerate their cyber-defense mechanisms, lest they find themselves outmaneuvered in this escalating cyber warfare.

For organizations in targeted sectors, the clock is ticking. The time to bolster cybersecurity defenses is now.

  1. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours