{ "id": "653ea1ec-2211-43ef-b025-8c6cde039e4a", "created_at": "2026-04-06T00:21:59.837684Z", "updated_at": "2026-04-10T03:28:28.160594Z", "deleted_at": null, "sha1_hash": "00e9f84b155ca36b956f8afb9f01b637ce890885", "title": "Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 921293, "plain_text": "Storm-0978 attacks reveal financial and espionage motives |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-07-11 · Archived: 2026-04-02 12:42:14 UTC\r\nAugust 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers\r\nare advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.\r\nMicrosoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting\r\ndefense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-\r\n36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word\r\ndocuments, using lures related to the Ukrainian World Congress.\r\nStorm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a\r\ncybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only\r\noperations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground\r\nransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022.\r\nThe actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with\r\nsimilarities to RomCom.\r\nStorm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to\r\nthe installation of RomCom. Storm-0978’s targeted operations have impacted government and military\r\norganizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in\r\nUkrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries,\r\namong others.\r\nMicrosoft 365 Defender detects multiple stages of Storm-0978 activity. Customers who use Microsoft Defender\r\nfor Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers\r\nwho use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via\r\nOffice. Organizations who cannot take advantage of these protections can set the\r\nFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. More\r\nmitigation recommendations are outlined in this blog.\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nTargeting\r\nStorm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting\r\nmilitary and government bodies primarily in Europe. Based on the post-compromise activity identified by\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 1 of 8\n\nMicrosoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later\r\ntargeted operations.\r\nThe actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from\r\nespionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.\r\nTools\r\nStorm-0978 uses trojanized versions of popular, legitimate software, leading to the installation of RomCom, which\r\nMicrosoft assesses is developed by Storm-0978. Observed examples of trojanized software include Adobe\r\nproducts, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and\r\nSignal. To host the trojanized installers for delivery, Storm-0978 typically registers malicious domains mimicking\r\nthe legitimate software (for example, the malicious domain advanced-ip-scaner[.]com).\r\nIn financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware, a\r\nransomware strain first observed in the wild in May 2022, and the Underground ransomware. The actor has also\r\nused the Trigona ransomware in at least one identified attack.\r\nAdditionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day\r\nvulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution\r\nvulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities\r\ncontributing to a security feature bypass.\r\nRansomware activity\r\nIn known ransomware intrusions, Storm-0978 has accessed credentials by dumping password hashes from the\r\nSecurity Account Manager (SAM) using the Windows registry. To access SAM, attackers must acquire SYSTEM-level privileges. Microsoft Defender for Endpoint detects this type of activity with alerts such as Export of SAM\r\nregistry hive.\r\nStorm-0978 has then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral\r\nmovement.\r\nMicrosoft has linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter.\r\nHowever, since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which\r\ncontains significant code overlaps with the Industrial Spy ransomware.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 2 of 8\n\nFigure 1. Storm-0978 ransom note references the “Underground team” and contains target-specific\r\ndetails of exfiltrated information\r\nThe code similarity between the two ransomware variants, as well as Storm-0978’s previous involvement in\r\nIndustrial Spy operations, may indicate that Underground is a rebranding of the Industrial Spy ransomware.\r\nFigure 2. Underground ransomware .onion site\r\nEspionage activity\r\nSince late 2022, Microsoft has identified the following campaigns attributable to Storm-0978. Based on the post-compromise activity and the nature of the targets, these operations were likely driven by espionage-related\r\nmotivations:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 3 of 8\n\nJune 2023 – Storm-0978 conducted a phishing campaign containing a fake OneDrive loader to deliver a backdoor\r\nwith similarities to RomCom. The phishing emails were directed to defense and government entities in Europe\r\nand North America, with lures related to the Ukrainian World Congress. These emails led to exploitation via the\r\nCVE-2023-36884 vulnerability.\r\nMicrosoft Defender for Office 365 detected Storm-0978’s initial use of the exploit targeting CVE-2023-36884 in\r\nthis phishing activity. Additional recommendations specific to this vulnerability are detailed below.\r\nFigure 3. Storm-0978 email uses Ukrainian World Congress and NATO themes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 4 of 8\n\nFigure 4. Storm-0978 lure document with Ukrainian World Congress and NATO content\r\nNotably, during this campaign, Microsoft identified concurrent, separate Storm-0978 ransomware activity against\r\nan unrelated target using the same initial payloads. The subsequent ransomware activity against a different victim\r\nprofile further emphasizes the distinct motivations observed in Storm-0978 attacks.\r\nDecember 2022 – According to CERT-UA, Storm-0978 compromised a Ukrainian Ministry of Defense email\r\naccount to send phishing emails. Identified lure PDFs attached to emails contained links to a threat actor-controlled website hosting information-stealing malware.\r\nOctober 2022 – Storm-0978 created fake installer websites mimicking legitimate software and used them in\r\nphishing campaigns. The actor targeted users at Ukrainian government and military\r\norganizations to deliver RomCom and likely to obtain credentials of high-value targets.\r\nRecommendations\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 5 of 8\n\nMicrosoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s\r\noperations.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a majority of new and unknown variants.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when\r\nyour non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in\r\npassive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are\r\ndetected post-breach.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nUse Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats\r\nand polymorphic variants. Defender for Office 365 customers should ensure that Safe Attachments and\r\nSafe Links protection is enabled for users with  Zero-hour Auto Purge (ZAP) to remove emails when a URL\r\ngets weaponized post-delivery.\r\nMicrosoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack\r\ntechniques used in ransomware attacks:\r\nBlock process creations originating from PsExec and WMI commands – Some organizations might\r\nexperience compatibility issues with this rule on certain server systems but should deploy it to other\r\nsystems to prevent lateral movement originating from PsExec and WMI, including Impacket’s\r\nWMIexec.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nUse advanced protection against ransomware\r\nBlock all Office applications from creating child processes\r\nCVE-2023-36884 specific recommendations\r\nAugust 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are\r\nadvised to apply patches, which supersede the mitigations below, as soon as possible.\r\nCustomers who use Microsoft Defender for Office 365 are protected from attachments that attempt to\r\nexploit CVE-2023-36884.\r\nIn addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from\r\nexploitation of the vulnerability via Office.\r\nIn current attack chains, the use of the Block all Office applications from creating child processes attack\r\nsurface reduction rule prevents the vulnerability from being exploited\r\nOrganizations who cannot take advantage of these protections can set the\r\nFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. \r\nNo OS restart is required, but restarting the applications that have had the registry key added for\r\nthem is recommended in case the value was already queried and is cached.\r\nPlease note that while these registry settings would mitigate exploitation of this issue, it could affect\r\nregular functionality for certain use cases related to these applications. For this reason, we suggest\r\ntesting. To disable the mitigation, delete the registry key or set it to “0”.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 6 of 8\n\nFigure 5. Screenshot of settings for the\r\nFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key to prevent exploitation of\r\nCVE-2023-36884\r\nDetection details\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 customers are protected from attachments that attempt to exploit CVE-2023-\r\n36884.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects post-compromise components of this threat as the following malware:\r\nRansom:Win32/IndustrialSpy\r\nTrojan:Win32/RomCom\r\nTrojan:Win64/RomCom\r\nHackTool:Win32/Impacket\r\nHackTool:Python/Impacket\r\nExploit:Script/Teefey\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nEmerging threat activity group Storm-0978 detected\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel also has detection and threat hunting content that customers can use to detect the post\r\nexploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nThe following content can be used to identify activity described in this blog post:\r\nPotential Impacket Execution\r\nCommands executed by WMI on new hosts – potential Impacket\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 7 of 8\n\nReferences\r\nVoid Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals. Trend Micro\r\nTechnical Analysis of Industrial Spy Ransomware. ZScaler\r\nCERT-UA#6940. CERT-UA\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at\r\nhttps://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/" ], "report_names": [ "storm-0978-attacks-reveal-financial-and-espionage-motives" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434919, "ts_updated_at": 1775791708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00e9f84b155ca36b956f8afb9f01b637ce890885.pdf", "text": "https://archive.orkl.eu/00e9f84b155ca36b956f8afb9f01b637ce890885.txt", "img": "https://archive.orkl.eu/00e9f84b155ca36b956f8afb9f01b637ce890885.jpg" } }