{ "id": "98b397af-6a42-46bb-803f-cbbea19c3c0b", "created_at": "2026-04-06T00:15:27.013103Z", "updated_at": "2026-04-10T03:38:01.76873Z", "deleted_at": null, "sha1_hash": "07e6fbfef7d80d70d63061496122ee283f880b2a", "title": "Microsoft Security—detecting empires in the cloud | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1068346, "plain_text": "Microsoft Security—detecting empires in the cloud | Microsoft\r\nSecurity Blog\r\nBy Ben Koehl, Joe Hannon, Microsoft Identity Security Team\r\nPublished: 2020-09-24 · Archived: 2026-04-02 11:47:59 UTC\r\nMicrosoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these\r\nfindings to harden our products and platform and share them with the security community to help defenders\r\neverywhere better protect the planet.\r\nRecently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an\r\nactor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their\r\nmalware payload, attempt to gain command and control all the way to the server, and to obfuscate detection.\r\nThese attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by\r\nMicrosoft Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.\r\nAs these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud\r\ninfrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to\r\nbe part of their malicious command \u0026 control infrastructure. This action helped transparently protect our\r\ncustomers without requiring additional work on their end.\r\nGADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a\r\nworldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the\r\ntools and techniques of security practitioners looking for new techniques they can use or modify to create new\r\nexploit methods.\r\nRecently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific\r\nregion and other targets in higher education and regional government organizations. As GADOLINIUM has\r\nevolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement\r\ncustomer protections against these attacks.\r\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against.\r\nIn response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source\r\ntoolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services\r\nfrequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to\r\ntake advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before\r\ndetection or given up at little cost.\r\nThe following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by\r\nthis specific actor’s activity insight and information that will help them better protect from these attacks.\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 1 of 8\n\n2016: Experimenting in the cloud\r\nGADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both\r\noperation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft\r\nTechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a\r\nvery small text link that contained an encoded command for malware to read.\r\nFigure 1: GADOLINIUM controlled TechNet profile with embedded malware link.\r\n2018: Developing attacks in the cloud\r\nIn 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands.\r\nThe image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this\r\nrepository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked\r\nwith our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the\r\nGitHub platform.\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 2 of 8\n\nFigure 2: GitHub repository controlled by GADOLINIUM.\r\n2019-2020: Hiding in plain sight using open source\r\nGADOLINIUM’s evolving techniques\r\nTwo of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics\r\nand techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed\r\nanalysis of each step that security practitioners can use to better understand the threat and what defenses to\r\nimplement to counter the attacks.\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 3 of 8\n\nWeaponization\r\nIn the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on\r\nopen source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to\r\nmake discovery and attribution more difficult. The other added benefit to using open-source types of kits is that\r\nthe development and new feature creation is done and created by someone else at no cost. However, using open\r\nsource tools isn’t always a silver bullet for obfuscation and blending into the noise.\r\nDelivery \u0026 Exploitation (2019)\r\nIn 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious\r\nfile was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with\r\nan Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The\r\nfile mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload,\r\nsets configuration information, and then runs the payload. Defender for Office 365 detects and blocks malicious\r\nMicrosoft Access database attachments in email. A redacted example of the configuration is displayed below.\r\nFigure 3: VBA setting config and calling the “Run” function of the payload\r\nCommand and Control (2019)\r\nHaving gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for\r\ncommand and control (C2). It uses a GADOLINIUM-controlled OAuth access token with\r\nlogin.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses\r\nattachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the\r\nmalware adds the output from executing these commands as a further attachment to the Outlook task.\r\nInterestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In\r\naddition to the Outlook Tasks API method described above, the extra code contains two other ways of using\r\nOffice365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory,\r\nget and add a file).\r\nActions on Objective (2019)\r\nGADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a\r\nrange of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB\r\ncommands (upload/download/delete etc.) to potentially exfiltrate data.\r\nLazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping\r\ncapability to enable lateral movement across a victim network. Microsoft Defender for Endpoint detects the\r\nprivilege escalation technique used:\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 4 of 8\n\nLazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also\r\ndetected by Microsoft Defender for Endpoint:\r\nDelivery (2020)\r\nIn mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious\r\nattachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19\r\npandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm.\r\nSimilarly, to the 2019 example, Microsoft Defender for Office detects and blocks emails with these malicious\r\nPowerPoint and Word attachments.\r\nCommand and Control (2020)\r\nThe malicious doc1.dotm had two payloads which run in succession.\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 5 of 8\n\nThe first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second\r\nstage needs as discussed in this blog.\r\nThe second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.\r\nThe .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to\r\nhttps://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the\r\nmalware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.\r\nActions on Objectives (2020)\r\nThe GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim\r\ncomputers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the\r\nattacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim\r\nsystems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to\r\nidentify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the\r\npermissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or\r\nnetwork monitoring perspective the activity initially appears to be related to trusted applications using trusted\r\ncloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we\r\nwill provide additional information about how Microsoft proactively prevents attackers from using our cloud\r\ninfrastructure in these ways.\r\nCommand and Control—Server compromise\r\nGADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or\r\ntraffic redirection. Microsoft Defender for Endpoint detects web shells by analyzing web server telemetry such as\r\nprocess creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple\r\ngroups and how we detect such activities.\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 6 of 8\n\nFigure 6: Microsoft Defender for Endpoint alerts of suspicious web shell attacks.\r\nWeb shell alerts from Microsoft Defender for Endpoint can be explored in Azure Sentinel and enriched with\r\nadditional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published\r\na blog outlining how such insights can be derived by analyzing events from the W3CIISLog.\r\nMicrosoft’s proactive steps to defend customers\r\nIn addition to detecting many of the individual components of the attacks through Microsoft’s security products\r\nand services such as Microsoft Defender for Endpoint and for Microsoft Defender for Office as described above,\r\nwe also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a\r\ncloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire\r\nscenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure\r\nActive Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire\r\ninfrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as\r\nsuspending these applications protects all customers transparently without any action being required at their end.)\r\nAs part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop\r\ndetection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior\r\nare quickly suspended to ensure our customers are protected.\r\nGADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft\r\ncustomers, we will continue to build detections and implement protections to defend against them. For security\r\npractitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of\r\ncompromise (IOCs) associated with their activity.\r\nHashes from malicious document attachments\r\nfaebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675\r\nf61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a\r\nActor-owned email addresses\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 7 of 8\n\nChris.sukkar@hotmail.com\r\nPhillipAdamsthird@hotmail.com\r\nsdfwfde234sdws@outlook.com\r\njenny1235667@outlook.com\r\nfghfert32423dsa@outlook.com\r\nsroggeveen@outlook.com\r\nRobertFetter.fdmed@hotmail.com\r\nHeather.mayx@outlook.com\r\nAzure Active Directory App IDs associated with malicious apps\r\nae213805-a6a2-476c-9c82-c37dfc0b6a6c\r\nafd7a273-982b-4873-984a-063d0d3ca23d\r\n58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb\r\n8ba5106c-692d-4a86-ad3f-fc76f01b890d\r\nbe561020-ba37-47b2-99ab-29dd1a4312c4\r\n574b7f3b-36da-41ee-86b9-c076f999b1de\r\n941ec5a5-d5bf-419e-aa93-c5afd0b01eff\r\nd9404c7d-796d-4500-877e-d1b49f02c9df\r\n67e2bb25-1f61-47b6-9ae3-c6104e587882\r\n9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0\r\n289d71ad-54ee-44a4-8d9a-9294f19b0069\r\na5ea2576-4191-4e9a-bfed-760fff616fbf\r\n802172dc-8014-42a9-b765-133c07039f9f\r\nfb33785b-f3f7-4b2b-b5c1-f688d3de1bde\r\nc196c17d-1e3c-4049-a989-c62f7afaf7f3\r\n79128217-d61e-41f9-a165-e06e1d672069\r\nf4a41d96-2045-4d75-a0ec-9970b0150b52\r\n88d43534-4128-4969-b5c4-ceefd9b31d02\r\nTo learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with\r\nour expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on\r\ncybersecurity.\r\nSource: https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nhttps://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" ], "report_names": [ "gadolinium-detecting-empires-cloud" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434527, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07e6fbfef7d80d70d63061496122ee283f880b2a.pdf", "text": "https://archive.orkl.eu/07e6fbfef7d80d70d63061496122ee283f880b2a.txt", "img": "https://archive.orkl.eu/07e6fbfef7d80d70d63061496122ee283f880b2a.jpg" } }