{ "id": "cedda9f2-d305-4947-b082-51e15afb893f", "created_at": "2026-04-06T00:08:28.81478Z", "updated_at": "2026-04-10T13:12:37.928353Z", "deleted_at": null, "sha1_hash": "2439ef0fddaedebf54c4a830f6a7512befcbb84a", "title": "Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 290822, "plain_text": "Nation-state threat actor Mint Sandstorm refines tradecraft to attack\r\nhigh-value targets | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-04-18 · Archived: 2026-04-05 13:59:57 UTC\r\nOver the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor\r\npreviously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has\r\nrapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing\r\ncampaigns to quickly and successfully access environments of interest. This Mint Sandstorm subgroup has also continued to\r\ndevelop and use custom tooling in selected targets, notably organizations in the energy and transportation sectors. Given this\r\nsubgroup’s capabilities, the profile of past targets, and the potential for cascading effects, Microsoft is publishing details on\r\nknown tradecraft alongside corresponding detections and mitigations to help organizations protect against this and similar\r\nthreats.\r\nWho is Mint Sandstorm?\r\nMint Sandstorm is Microsoft’s new name for PHOSPHORUS, an Iranian nation-state actor. This new name is part of the\r\nnew threat actor naming taxonomy we announced today, designed to keep pace with the evolving and growing threat\r\nlandscape.\r\nMint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist\r\nleaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including\r\nindividuals protesting oppressive regimes in the Middle East.  Activity Microsoft tracks as part of the larger Mint Sandstorm\r\ngroup overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.\r\nMint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational\r\nstructure. Microsoft assesses that Mint Sandstorm is associated with an intelligence arm of Iran’s military, the Islamic\r\nRevolutionary Guard Corps (IRGC), an assessment that has been corroborated by multiple credible sources including\r\nMandiant, Proofpoint, and SecureWorks.  In 2022, the US Department of Treasury sanctioned elements of Mint Sandstorm\r\nfor past cyberattacks citing sponsorship from the IRGC.\r\nToday, Microsoft is reporting on a distinct Mint Sandstorm subgroup that specializes in hacking into and stealing sensitive\r\ninformation from high-value targets. This Mint Sandstorm subgroup is technically and operationally mature, capable of\r\ndeveloping bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational\r\nfocus, which appears to align with Iran’s  national priorities.\r\nMicrosoft Threat Intelligence consistently tracks threat actor activity, including Mint Sandstorm and its subgroups, and\r\nworks across Microsoft Security products and services to build detections into our products that improve protection for\r\ncustomers. As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts. Microsoft is sharing details on these\r\noperations to raise awareness on the risks associated with their activity and to empower organizations to harden their attack\r\nsurfaces against tradecraft commonly used by this Mint Sandstorm subgroup.\r\nRecent operations\r\nFrom late 2021 to mid-2022, this Mint Sandstorm subgroup moved from reconnaissance to direct targeting of US critical\r\ninfrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity potentially in\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 1 of 10\n\nsupport of retaliatory destructive cyberattacks. This targeting was likely in response to Iran’s attribution of cyberattacks that\r\nhalted maritime traffic at a major Iranian seaport in May 2020, delayed Iranian trains in July 2021, and crashed gas station\r\npayment systems throughout Iran in late 2021. Of note, a senior cybersecurity-focused IRGC official and others close to the\r\nIranian Supreme Leader pinned the attack affecting gas station payment systems on Israel and the United States.\r\nThis targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat\r\nactors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021. The increased\r\naggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national\r\nsecurity apparatus, suggesting such groups are less bounded in their operations.  Given the hardline consensus among\r\npolicymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be\r\nless constrained in carrying out malicious cyber activity.\r\nMint Sandstorm tradecraft\r\nMicrosoft has observed multiple attack chains and various tools in compromises involving this Mint Sandstorm subgroup.\r\nThe TTPs detailed below are a sampling of new or otherwise notable tradecraft used by this actor.\r\nRapid adoption of publicly disclosed POCs for initial access and persistence\r\nMicrosoft has increasingly observed this Mint Sandstorm subgroup adopting publicly disclosed proof-of-concept (POC)\r\ncode shortly after it is released to exploit vulnerabilities in internet-facing applications. Until 2023, this subgroup had been\r\nslow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs, often taking several weeks to\r\nsuccessfully weaponize exploits for vulnerabilities like Proxyshell and Log4Shell. However, beginning in early 2023,\r\nMicrosoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs. For\r\nexample, Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the\r\nPOC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made\r\npublic on February 2, 2023.\r\nWhile this subgroup has demonstrated their ability to rapidly incorporate new public POCs into their playbooks, Microsoft\r\nhas also observed that Mint Sandstorm continues to use older vulnerabilities, especially Log4Shell, to compromise\r\nunpatched devices. As this activity is typically opportunistic and indiscriminate, Microsoft recommends that\r\norganizations regularly patch vulnerabilities with publicly available POCs, regardless of how long the POC has been\r\navailable.\r\nAfter gaining initial access to an organization by exploiting a vulnerability with a public POC, this Mint Sandstorm\r\nsubgroup deploys a custom PowerShell script designed for discovery. In some cases, the subgroup does not act on the\r\ninformation they collect, possibly because they assess that a victim does not meet any targeting requirements or because the\r\nsubgroup wishes to wait and focus on more valuable targets. In cases where Mint Sandstorm operators continue their pursuit\r\nof a given target, Microsoft typically observes one of two possible attack chains.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 2 of 10\n\nFigure 1. The two attack chains used by the Mint Sandstorm subgroup\r\nAttack chain 1: The Mint Sandstorm subgroup proceeds using Impacket to move laterally through a compromised\r\norganization and relies extensively on PowerShell scripts (rather than custom implants) to enumerate admin accounts\r\nand enable RDP connections. In this attack chain, the subgroup uses an SSH tunnel for command and control (C2),\r\nand the final objective in many cases is theft of the Active Directory database. If obtained, the Mint Sandstorm\r\nsubgroup can use the Active Directory database to access credentials for users’ accounts. In cases where users’\r\ncredentials are accessed and the target organization has not reset corresponding passwords, the actors can log in with\r\nstolen credentials and masquerade as legitimate users, possibly without attracting attention from defenders. The\r\nactors could also gain access to other systems where individuals may have reused their passwords.\r\nAttack chain 2: As is the case in attack chain 1, the Mint Sandstorm subgroup uses Impacket to move laterally.\r\nHowever, in this progression, the operators use webhook.site for C2 and create scheduled tasks for persistence.\r\nFinally, in this attack chain, the actors deploy a custom malware variant, such as Drokbk or Soldier. These custom\r\nmalware variants signal an increase in the subgroup’s level of sophistication, as they shift from using publicly\r\navailable tools and simple scripts to deploying fully custom developed malicious code. \r\nUse of custom tools to evade detection\r\nSince 2022,Microsoft has observed this Mint Sandstorm subgroup using two custom implants, detected by Microsoft\r\nsecurity products as Drokbk and Soldier, to persist in target environments and deploy additional tools. Drobkbk and Soldier\r\nboth use Mint Sandstorm-controlled GitHub repositories to host a domain rotator containing the operators’ C2 domains. This\r\nallows Mint Sandstorm to dynamically update their C2 infrastructure, which may help the operators stay a step ahead of\r\ndefenders using list-based domain blocking.\r\nDrokbk: Drokbk.exe is a custom .NET implant with two components: an installer, sometimes accessed from a\r\ncompressed archive on a legitimate file-sharing platform, and a secondary backdoor payload. The Drokbk backdoor\r\nissues a web request to obtain the contents of a README file on a Mint Sandstorm-controlled GitHub repo. The\r\nREADME file contains a list of URLs that direct targets to the C2 infrastructure associated with Drokbk.\r\nSoldier: Soldier is a multistage .NET backdoor with the ability to download and run additional tools and uninstall\r\nitself. Like Drokbk, Soldier C2 infrastructure is stored on a domain rotator on a GitHub repository operated by Mint\r\nSandstorm. Microsoft Threat Intelligence analysts assess that Soldier is a more sophisticated variant of Drokbk.\r\nIn certain cases, this Mint Sandstorm subgroup has used TTPs outside of these attack chains, notably when they have failed\r\nto achieve short-term objectives. In one instance, Microsoft also observed the subgroup using TTPs from both attack chains\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 3 of 10\n\nin a single compromised environment. However, in most cases, Mint Sandstorm activity displays one of the above discussed\r\nattack chains.\r\nLow-volume phishing campaigns using template injection\r\nMicrosoft has also observed this Mint Sandstorm subgroup using a distinct attack chain involving low-volume phishing\r\ncampaigns and a third custom implant.  In these operations, the group crafts bespoke phishing emails, often purporting to\r\ncontain information on security policies that affect countries in the Middle East, to deliver weaponized documents to\r\nindividuals of interest. Recipients are typically individuals affiliated with high-profile think tanks or universities in Israel,\r\nNorth America, or Europe with ties to the security and policy communities. Unlike their initial exploitation of vulnerable\r\ninternet-facing applications, which is largely indiscriminate and affects organizations across sectors and geographies,\r\nactivity associated with this campaign was highly targeted and affected fewer than 10 organizations..\r\nThe initial emails are most commonly lures designed to social engineer recipients into clicking a OneDrive link hosting a\r\nPDF spoofed to resemble information on a topic involving security or policy in the Middle East. The PDF contains a link to\r\na macro-enabled template file (dotm) hosted on Dropbox. This file has been weaponized with macros to perform remote\r\ntemplate injection, a technique that allows operators to obtain and launch a payload from a remote C2, often OneDrive.\r\nTemplate injection is an attractive option for adversaries looking to execute malicious code without drawing scrutiny from\r\ndefenders. This technique can also be used to persist in a compromised environment if an adversary replaces a default\r\ntemplate used by a common application.\r\nIn these attacks, Microsoft has observed the Mint Sandstorm subgroup using CharmPower, a custom implant, in attacks that\r\nbegan with targeted phishing campaigns. CharmPower is a modular backdoor written in PowerShell that this subgroup\r\ndelivers in phishing campaigns that rely on template injection. CharmPower can read files, gather information on an infected\r\nhost, and send details back to the attackers. Reporting from Checkpoint indicates that at least one version of CharmPower\r\npulls data from a specific text file that contains a hardcoded victim identifier.\r\nFigure 2. Template injection technique\r\nWhat’s next\r\nCapabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to\r\nconceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying\r\ncapabilities. While effects vary depending on the operators’ post-intrusion activities, even initial access can enable\r\nunauthorized access and facilitate further behaviors that may adversely impact the confidentiality, integrity, and availability\r\nof an environment. A successful intrusion creates liabilities and may harm an organization’s reputation, especially those\r\nresponsible for delivering services to others such as critical infrastructure providers, which Mint Sandstorm has targeted in\r\nthe past.  \r\nAs these operators increasingly develop and use sophisticated capabilities, organizations must develop corresponding\r\ndefenses to harden their attack surfaces and raise costs for these operators. Microsoft will continue to monitor Mint\r\nSandstorm activity and implement protections for our customers. The current detections, advanced detections, and IOCs in\r\nplace across our security products are detailed below and shared with the broader security community to help detect and\r\nprevent further attacks.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 4 of 10\n\nMitigation and protection guidance\r\nThe techniques used by this subset of Mint Sandstorm can be mitigated through the following actions:\r\nHardening internet-facing assets and understanding your perimeter\r\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning\r\ninterfaces, such as Microsoft Defender External Attack Surface Management, can be used to improve data.\r\nVulnerabilities observed in recent campaigns attributed to this Mint Sandstorm subgroup that defenders can identify and\r\nmitigate include:\r\nIBM Aspera Faspex affected by CVE-2022-47986: Organizations can remediate CVE-2022-47986 by upgrading to\r\nFaspex 4.4.2 Patch Level 2 or using Faspex 5.x which does not contain this vulnerability. More details are available\r\nin IBM’s security advisory here.\r\nZoho ManageEngine affected by CVE-2022-47966: Organizations using Zoho ManageEngine products vulnerable to\r\nCVE-2022-47966 should download and apply upgrades from the official advisory as soon as possible. Patching this\r\nvulnerability is useful beyond this specific campaign as several adversaries are exploiting CVE-2022-47966 for\r\ninitial access.\r\nApache Log4j2 (aka Log4Shell) (CVE-2021-44228 and CVE-2021-45046): Microsoft’s guidance for organizations\r\nusing applications vulnerable to Log4Shell exploitation can be found here. This guidance is useful for any\r\norganization with vulnerable applications and useful beyond this specific campaign, as several adversaries exploit\r\nLog4Shell to obtain initial access.\r\nThis Mint Sandstorm subgroup has demonstrated its ability to rapidly adopt newly reported N-day vulnerabilities into its\r\nplaybooks. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and\r\nvulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\r\nReducing the attack surface\r\nMicrosoft 365 Defender customers can also turn on attack surface reduction rules to harden their environments against\r\ntechniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender\r\nAntivirus customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in\r\nthis report.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock Office applications from creating executable content\r\nBlock process creations originating from PSExec and WMI commands\r\nAdditionally, in 2022, Microsoft changed the default behavior of Office applications to block macros in files from the\r\ninternet, further minimizing the attack surface for operators like this subgroup of Mint Sandstorm.\r\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the Drokbk implant as the following malware:\r\nTrojan:MSIL/Drokbk.A!dha\r\nTrojan:MSIL/Drokbk.B!dha\r\nTrojan:MSIL/Drokbk.C!dha\r\nTrojan:Win32/Drokbk.C!dha  \r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 5 of 10\n\nMicrosoft Defender Antivirus detects the Soldier implant as the following malware:\r\nTrojan:MSIL/SoldierAudio.A!dha\r\nTrojan:MSIL/SoldierAudio.B!dha\r\nTrojan:MSIL/SoldierAudio.C!dha\r\nMicrosoft Defender Antivirus detects the CharmPower implant as the following malware:\r\nTrojanDownloader:O97M/RooftopMelt.A!dha\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nPhosphorus Actor activity detected\r\nHunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\r\nManageEngine Suspicious Process Execution.  \r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName hasprefix \"java\"\r\n| where InitiatingProcessFolderPath has @\"\\manageengine\\\" or InitiatingProcessFolderPath has\r\n@\"\\ServiceDesk\\\"\r\n| where (FileName in~ (\"powershell.exe\", \"powershell_ise.exe\") and\r\n(ProcessCommandLine has_any (\"whoami\", \"net user\", \"net group\", \"localgroup administrators\",\r\n\"dsquery\", \"samaccountname=\", \" echo \", \"query session\", \"adscredentials\", \"o365accountconfiguration\", \"-\r\ndumpmode\", \"-ssh\", \"usoprivate\", \"usoshared\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\",\r\n\"FromBase64String\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\",\r\n\"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\") // \"csvhost.exe\", \"ekern.exe\", \"svhost.exe\",\r\n\".dmp\"\r\nor ProcessCommandLine matches regex @\"[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}\"))\r\nor (FileName =~ \"curl.exe\" and ProcessCommandLine contains \"http\")\r\nor (FileName =~ \"wget.exe\" and ProcessCommandLine contains \"http\")\r\nor ProcessCommandLine has_any (\"E:jscript\", \"e:vbscript\")\r\nor ProcessCommandLine has_all (\"localgroup Administrators\", \"/add\")\r\nor ProcessCommandLine has_all (\"reg add\", \"DisableAntiSpyware\", @\"\\Microsoft\\Windows Defender\")\r\nor ProcessCommandLine has_all (\"reg add\", \"DisableRestrictedAdmin\",\r\n@\"CurrentControlSet\\Control\\Lsa\")\r\nor ProcessCommandLine has_all (\"wmic\", \"process call create\")\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 6 of 10\n\nor ProcessCommandLine has_all (\"net\", \"user \", \"/add\")\r\nor ProcessCommandLine has_all (\"net1\", \"user \", \"/add\")\r\nor ProcessCommandLine has_all (\"vssadmin\", \"delete\", \"shadows\")\r\nor ProcessCommandLine has_all (\"wmic\", \"delete\", \"shadowcopy\")\r\nor ProcessCommandLine has_all (\"wbadmin\", \"delete\", \"catalog\")\r\nor (ProcessCommandLine has \"lsass\" and ProcessCommandLine has_any (\"procdump\", \"tasklist\",\r\n\"findstr\"))\r\n| where ProcessCommandLine !contains \"download.microsoft.com\" and ProcessCommandLine !contains\r\n\"manageengine.com\" and ProcessCommandLine !contains \"msiexec\"\r\nRuby AsperaFaspex Suspicious Process Execution.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName hasprefix \"ruby\"\r\n| where InitiatingProcessFolderPath has @\"aspera\"\r\n| where (FileName in~ (\"powershell.exe\", \"powershell_ise.exe\") and\r\n(ProcessCommandLine has_any (\"whoami\", \"net user\", \"net group\", \"localgroup administrators\",\r\n\"dsquery\", \"samaccountname=\", \" echo \", \"query session\", \"adscredentials\", \"o365accountconfiguration\", \"-\r\ndumpmode\", \"-ssh\", \"usoprivate\", \"usoshared\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\",\r\n\"FromBase64String\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\",\r\n\"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\", \"csvhost.exe\", \"ekern.exe\", \"svhost.exe\",\r\n\".dmp\")\r\nor ProcessCommandLine matches regex @\"[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}\"))\r\nor (FileName =~ \"curl.exe\" and ProcessCommandLine contains \"http\")\r\nor (FileName =~ \"wget.exe\" and ProcessCommandLine contains \"http\")\r\nor ProcessCommandLine has_any (\"E:jscript\", \"e:vbscript\")\r\nor ProcessCommandLine has_all (\"localgroup Administrators\", \"/add\")\r\nor ProcessCommandLine has_all (\"reg add\", \"DisableAntiSpyware\", @\"\\Microsoft\\Windows Defender\")\r\nor ProcessCommandLine has_all (\"reg add\", \"DisableRestrictedAdmin\",\r\n@\"CurrentControlSet\\Control\\Lsa\")\r\nor ProcessCommandLine has_all (\"wmic\", \"process call create\")\r\nor ProcessCommandLine has_all (\"net\", \"user \", \"/add\")\r\nor ProcessCommandLine has_all (\"net1\", \"user \", \"/add\")\r\nor ProcessCommandLine has_all (\"vssadmin\", \"delete\", \"shadows\")\r\nor ProcessCommandLine has_all (\"wmic\", \"delete\", \"shadowcopy\")\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 7 of 10\n\nor ProcessCommandLine has_all (\"wbadmin\", \"delete\", \"catalog\")\r\nor (ProcessCommandLine has \"lsass\" and ProcessCommandLine has_any (\"procdump\", \"tasklist\",\r\n\"findstr\"))\r\nLog4J Wstomcat Process Execution.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName has \"ws_tomcatservice.exe\" and FileName !in~(\"repadmin.exe\")\r\nEncoded watcher Function.\r\nDeviceProcessEvents\r\n| where FileName =~ \"powershell.exe\" and ProcessCommandLine hasprefix \"-e\"\r\n| extend SplitString = split(ProcessCommandLine, \" \")\r\n| mvexpand SS = SplitString\r\n| where SS matches regex \"^[A-Za-z0-9+/]{50,}[=]{0,2}$\"\r\n| extend base64_decoded = replace(@'\\0', '', make_string(base64_decode_toarray(tostring(SS))))\r\n| where not(base64_decoded has_any(@\"software\\checker\", \"set folder to watch\"))\r\n| where base64_decoded has_all(\"$hst\", \"$prt\") or base64_decoded has_any(\"watcher\", @\"WAt`CH`Er()\")\r\n Microsoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to\r\nautomatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not\r\ncurrently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have\r\nthe analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:\r\nhttps://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nIn addition, Microsoft Sentinel customers can leverage the following content to hunt for and detect related activity in their\r\nenvironments:\r\nLog4J solution\r\nPotential Impacket Execution\r\nCommands executed by WMI on new hosts – potential Impacket\r\nScheduled Task Hidden\r\nRemote Task Creation/Update using Schtasks Process\r\nScheduled Task Creation or Update from User Writable Directory\r\nExchange SSRF Autodiscover ProxyShell – Detection\r\nIndicators of compromise\r\nIndicator Type Description\r\nSoldier.exe\r\nFile\r\nname\r\nSoldier backdoor\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 8 of 10\n\nad55b4a40f9e52682d9d4f069914e09c941e8b77ca7b615e9deffccdfbc54145\r\nSHA-256\r\nSoldier backdoor hash\r\nDrokbk.exe\r\nFile\r\nname\r\nDrokbk backdoor\r\n64f39b858c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac90f841b\r\nSHA-256\r\nDrokbk backdoor hash\r\nsync-system-time[.]cf Domain Drokbk C2 infrastructure\r\nupdate-windows-security[.]tk Domain Drokbk C2 infrastructure\r\ndns-iprecords[.]tk Domain Drokbk C2 infrastructure\r\nuniversityofmhealth[.]biz Domain Drokbk C2 infrastructure\r\noracle-java[.]cf Domain Drokbk C2 infrastructure\r\n54.39.202[.]0 \r\nIP\r\naddress\r\nDrokbk C2 infrastructure\r\n51.89.135[.]15\r\nIP\r\naddress\r\nDrokbk C2 infrastructure\r\n51.89.169[.]201\r\nIP\r\naddress\r\nDrokbk C2 infrastructure\r\n51.89.187[.]222\r\nIP\r\naddress\r\nDrokbk C2 infrastructure\r\nNY.docx.docx\r\nFile\r\nname\r\nCharmPower lure document\r\nused for template injection\r\n57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72\r\nSHA-256\r\nNY.docx.docx hash\r\nAbraham%20Accords%20Du.[.]docx\r\nFile\r\nname\r\nCharmPower lure document\r\nused for template injection\r\n3dcdb0ffebc5ce6691da3d0159b5e811c7aa91f6d8fc204963d2944225b0119d\r\nSHA-256Abraham%20Accords%20D\r\n[.]docx hash\r\nDocTemplate.dotm\r\nFile\r\nname\r\nMalicious remote template\r\ndocument used in intrusions\r\ninvolving CharmPower\r\n65e48f63f455c94d3bf681acaf115caa6e1e60499362add49ca614458bbc4f85\r\nSHA-256\r\nDocTemplate.dotm\r\nDntDocTemp.dotm\r\nFile\r\nname\r\nMalicious remote template\r\ndocument used in intrusions\r\ninvolving CharmPower\r\n444075183ff6cae52ab5b93299eb9841dcd8b0321e3a90fb29260dc12133b6a2   \r\nSHA-256\r\nDntDocTemp.dotm hash\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 9 of 10\n\n0onlyastep0[.]xyz Domain\r\nCharmPower C2\r\ninfrastructure\r\n0readerazone0[.]xyz Domain\r\nCharmPower C2\r\ninfrastructure\r\n0tryamore0[.]xyz Domain\r\nCharmPower C2\r\ninfrastructure\r\nReferences\r\nIran: Background and U.S. Policy. Congressional Research Service\r\nCobalt Illusion Masquerades as Atlantic Council Employee. Secureworks\r\nApt42: Crooked Charms, Cons, and Compromises. Mandiant\r\nBadblood: TA453 Targets US \u0026 Israel in Credential Phishing. Proofpoint\r\nTreasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity. U.S. Department of the Treasury\r\nOfficials: Israel Linked to a Disruptive Cyberattack on Iranian Port Facility. The Washington Post\r\nIran Says Cyberattack Causes Widespread Disruption at Gas Stations. Thomson Reuters\r\nIran’s Evolving Approach to Asymmetric Naval Warfare. The Washington Institute for Near East Policy\r\nHackers breach Iran rail network, disrupt service | Reuters. Reuters\r\nAPT35 Exploits Log4J Vulnerability to Distribute New Modular PowerShell Toolkit. Checkpoint\r\nIran Says Gas Stations Were Target Of Cyberattack To Foment Unrest (iranintl.com)\r\nComplaint – Summons – Civil Cover Sheet.pdf (noticeofpleadings.com)\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/" ], "report_names": [ "nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434108, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2439ef0fddaedebf54c4a830f6a7512befcbb84a.pdf", "text": "https://archive.orkl.eu/2439ef0fddaedebf54c4a830f6a7512befcbb84a.txt", "img": "https://archive.orkl.eu/2439ef0fddaedebf54c4a830f6a7512befcbb84a.jpg" } }