{ "id": "5b557cd2-e38c-4c1c-9327-d51f0367cfd1", "created_at": "2026-04-06T00:14:26.172085Z", "updated_at": "2026-04-10T13:11:19.046837Z", "deleted_at": null, "sha1_hash": "0dc5d744c537520cef63e32070dff473d208a3da", "title": "New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 255193, "plain_text": "New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-01-17 · Archived: 2026-04-05 18:37:09 UTC\r\nSince November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting\r\nhigh-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium,\r\nFrance, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke\r\nphishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases,\r\nMicrosoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.\r\nOperators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose\r\ntradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of\r\nthis campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally,\r\nMint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might\r\nhelp the group persist in a compromised environment and better evade detection.\r\nMint Sandstorm (which overlaps with the threat actor tracked by other researchers as APT35 and Charming\r\nKitten) is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary\r\nGuard Corps (IRGC), an intelligence arm of Iran’s military. Microsoft attributes the activity detailed in this blog to\r\na technically and operationally mature subgroup of Mint Sandstorm that specializes in gaining access to and\r\nstealing sensitive information from high-value targets. This group is known to conduct resource-intensive social\r\nengineering campaigns that target journalists, researchers, professors, or other individuals with insights or\r\nperspective on security and policy issues of interest to Tehran.\r\nThese individuals, who work with or who have the potential to influence the intelligence and policy communities,\r\nare attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as\r\nthe Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures\r\nrelated to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related\r\nto the war from individuals across the ideological spectrum.\r\nIn this blog, we share our analysis of the new Mint Sandstorm tradecraft and provide detection, hunting, and\r\nprotection information. Organizations can also use the mitigations included in this blog to harden their attack\r\nsurfaces against the tradecraft observed in this and other Mint Sandstorm campaigns. These mitigations are high-value measures that are effective ways to defend organizations from multiple threats, including Mint Sandstorm,\r\nand are useful to any organization regardless of their threat model.\r\nGet the latest Microsoft Threat Intelligence updates\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 1 of 7\n\nJump to social ↗\r\nNew Mint Sandstorm tradecraft\r\nMicrosoft observed new tactics, techniques, and procedures (TTPs) in this Mint Sandstorm campaign, notably the\r\nuse of legitimate but compromised email accounts to send phishing lures, use of the Client for URL (curl)\r\ncommand to connect to Mint Sandstorm’s command-and-control (C2) server and download malicious files, and\r\ndelivery of a new custom backdoor, MediaPl.\r\nIn this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable\r\nnews outlet. In some cases, the threat actor used an email address spoofed to resemble a personal email account\r\nbelonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on\r\nan article about the Israel-Hamas war. In other cases, Mint Sandstorm used legitimate but compromised email\r\naccounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any\r\nmalicious content.\r\nThis tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the\r\nuse of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with\r\ntargets and establish a level of trust before attempting to deliver malicious content to targets. Additionally, it’s\r\nlikely that the use of legitimate but compromised email accounts, observed in a subset of this campaign, further\r\nbolstered Mint Sandstorm’s credibility, and might have played a role in the success of this campaign.\r\nDelivery\r\nIf targets agreed to review the article or document referenced in the initial email, Mint Sandstorm followed up\r\nwith an email containing a link to a malicious domain. In this campaign, follow up messages directed targets to\r\nsites such as cloud-document-edit[.]onrender[.]com, a domain hosting a RAR archive (.rar) file that purported to\r\ncontain the draft document targets were asked to review. If opened, this .rar file decompressed into a double\r\nextension file (.pdf.lnk) with the same name. When launched, the .pdf.lnk file ran a curl command to retrieve a\r\nseries of malicious files from attacker-controlled subdomains of glitch[.]me and supabase[.]co.\r\nMicrosoft observed multiple files downloaded to targets’ devices in this campaign, notably several .vbs scripts. In\r\nseveral instances, Microsoft observed a renamed version of NirCmd, a legitimate command line tool that allows a\r\nuser to carry out a number of actions on a device without displaying a user interface, on a target’s device.\r\nPersistence\r\nIn some cases, the threat actor used a malicious file, Persistence.vbs, to persist in targets’ environments. When\r\nrun, Persistence.vbs added a file, typically named a.vbs, to the CurrentVersionRun registry key. In other cases,\r\nMint Sandstorm created a scheduled task to reach out to an attacker-controlled supabase[.]co domain and\r\ndownload a .txt file.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 2 of 7\n\nFigure 1. Intrusion chain leading to backdoors observed in the ongoing Mint Sandstorm campaign\r\nCollection\r\nActivity observed in this campaign suggests that Mint Sandstorm wrote activity from targets’ devices to a series of\r\ntext files, notably one named documentLoger.txt.\r\nIn addition to the activity detailed above, in some cases, Mint Sandstorm dropped MischiefTut or MediaPl, custom\r\nbackdoors.\r\nMediaPl backdoor\r\nMediaPl is a custom backdoor capable of sending encrypted communications to its C2 server. MediaPl is\r\nconfigured to masquerade as Windows Media Player, an application used to store and play audio and video files.\r\nTo this end, Mint Sandstorm typically drops this file in C:\\Users\\[REDACTED] \\AppData\\Local\\Microsoft\\Media\r\nPlayer\\MediaPl.dll. When MediaPl.dll is run with the path of an image file provided as an argument, it launches\r\nthe image in Windows Photo application and also parses the image for C2 information. Communications to and\r\nfrom MediaPl’s C2 server are AES CBC encrypted and Base64 encoded. As of this writing, MediaPl can terminate\r\nitself, can pause and retry communications with its C2 server, and launch command(s) it has received from the C2\r\nusing the _popen function.\r\nMischiefTut\r\nMischiefTut is a custom backdoor implemented in PowerShell with a set of basic capabilities. MischiefTut can run\r\nreconnaissance commands, write outputs to a text file and, ostensibly, send outputs back to adversary-controlled\r\ninfrastructure. MischiefTut can also be used to download additional tools on a compromised system.\r\nImplications\r\nThe ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a\r\nrange of activities that can adversely impact the confidentiality of a system. Compromise of a targeted system can\r\nalso create legal and reputational risks for organizations affected by this campaign. In light of the patience,\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 3 of 7\n\nresources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to\r\nupdate and augment our detection capabilities to help customers defend against this threat.\r\nRecommendations\r\nMicrosoft recommends the following mitigations to reduce the impact of activity associated with recent Mint\r\nSandstorm campaigns.\r\nUse the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated\r\nphishing and password attack campaigns in your organization by training end-users against clicking URLs\r\nin unsolicited messages and disclosing their credentials. Training should include checking for poor spelling\r\nand grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos\r\nand domain URLs appearing to originate from legitimate applications or companies. Note that Attack\r\nSimulator testing only supports phishing emails containing links at this time.\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware. Turn on network protection to block connections to malicious domains and IP addresses.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a majority of new and unknown variants.\r\nMicrosoft Defender XDR customers can also turn on attack surface reduction rules to harden their environments\r\nagainst techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft\r\nDefender Antivirus customers and not just those using the EDR solution, offer significant protection against the\r\ntradecraft discussed in this report.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nBlock JavaScript or VBScript from launching downloaded executable content.\r\nBlock execution of potentially obfuscated scripts.\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects activity associated with the MediaPl backdoor as the following malware:\r\nBackdoor:Win64/Eyeglass.A\r\nMicrosoft Defender Antivirus detects activity associated with the MischiefTut backdoor as the following malware:\r\nBehavior:Win32/MischiefTut\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint provides customers with detections and alerts. Alerts with the following titles in\r\nthe Security Center can indicate threat activity related to Mint Sandstorm.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 4 of 7\n\nPossible Mint Sandstorm activity\r\nAnomaly detected in ASEP registry\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nNation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets\r\nMint Sandstorm delivers MischiefTut to researchers in tailored phishing campaigns\r\nMicrosoft Defender XDR Threat analytics \r\nNation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets\r\nIndicators of compromise\r\nOrganizations who fit the targeting model discussed in this report can hunt for the following indicators of\r\ncompromise in their environments.\r\nDomains\r\neast-healthy-dress[.]glitch[.]me\r\ncoral-polydactyl-dragonfruit[.]glitch[.]me\r\nkwhfibejjyxregxmnpcs[.]supabase[.]co\r\nepibvgvoszemkwjnplyc[.]supabase[.]co\r\nndrrftqrlblfecpupppp[.]supabase[.]co\r\ncloud-document-edit[.]onrender[.]com\r\nFiles\r\nMediaPl.dll (SHA-256: f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f)\r\nAdvanced hunting\r\nMicrosoft Defender XDR\r\nCurl command used to retrieve malicious files\r\nUse this query to locate the curl command Mint Sandstorm used to pull down malicious files in this campaign.\r\nDeviceProcessEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 5 of 7\n\n| where InitiatingProcessCommandLine has_all('id=',\r\n'\u0026Prog') and InitiatingProcessCommandLine has_any('vbs', '--ssl')\r\nCreation of log files\r\nUse this query to identify files created by Mint Sandstorm, ostensibly for exfiltration.\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all('powershell', '$pnt', 'Get-Content', 'gcm') and\r\nInitiatingProcessCommandLine has_any('documentLog', 'documentLoger', 'Logdocument')\r\nFiles with double file name extensions\r\nUse this query to find files with double extension, e.g., .pdf.lnk.\r\nDeviceFileEvents\r\n| where FileName endswith \".pdf.lnk\"\r\nRegistry keys with VBScript\r\nUse this query to find registry run keys entry with VBScript in value\r\nDeviceRegistryEvents\r\n| where ActionType == \"RegistryValueSet\" or ActionType == \"RegistryKeyCreated\"\r\n| where RegistryKey endswith @\"SoftwareMicrosoftWindowsCurrentVersionRun\" or\r\nRegistryKey endswith @\"SoftwareMicrosoftWindowsCurrentVersionRunOnce\" or\r\nRegistryKey endswith @\"SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun\"\r\n| where RegistryValueData has_any (\"vbscript\",\".vbs\")\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nEmail delivered to inbox\r\nDelivered bad emails from top bad IPv4 addresses\r\nPhishing link execution observed\r\nSuccessful sign-in from phishing link\r\nSuspicious URL clicked\r\nScheduled task creation update from user writable directory\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 6 of 7\n\nRemote Scheduled Task creation update via Schtasks\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-ind\r\nividuals-at-universities-and-research-orgs/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/" ], "report_names": [ "new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434466, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0dc5d744c537520cef63e32070dff473d208a3da.pdf", "text": "https://archive.orkl.eu/0dc5d744c537520cef63e32070dff473d208a3da.txt", "img": "https://archive.orkl.eu/0dc5d744c537520cef63e32070dff473d208a3da.jpg" } }