{ "id": "bdab5ef5-779c-4420-91f4-bf18b6a61adb", "created_at": "2026-04-06T00:09:22.377398Z", "updated_at": "2026-04-10T13:11:19.028499Z", "deleted_at": null, "sha1_hash": "3f6a1910aaf67e0361997684a07c15385278b4a6", "title": "Microsoft says Iranian hackers are exploiting the Zerologon vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 709705, "plain_text": "Microsoft says Iranian hackers are exploiting the Zerologon\r\nvulnerability\r\nBy Written by Catalin Cimpanu, ContributorContributor Oct. 5, 2020 at 4:50 p.m. PT\r\nArchived: 2026-04-05 15:34:40 UTC\r\nMicrosoft said on Monday that Iranian state-sponsored hackers are currently exploiting the Zerologon\r\nvulnerability in real-world hacking campaigns.\r\nSuccessful attacks would allow hackers to take over servers known as domain controllers (DC) that are the\r\ncenterpieces of most enterprise networks and enable intruders to gain full control over their targets.\r\nThe Iranian attacks were detected by Microsoft's Threat Intelligence Center (MSTIC) and have been going on for\r\nat least two weeks, the company said today in a short tweet.\r\nMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-\r\n1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly\r\nrecommend patching. Microsoft 365 Defender customers can also refer to these\r\ndetections: https://t.co/ieBj2dox78\r\n— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020\r\nMSTIC linked the attacks to a group of Iranian hackers that the company tracks as MERCURY, but who are more\r\nwidely known under their monicker of MuddyWatter.\r\nThe group is believed to be a contractor for the Iranian government working under orders from the Islamic\r\nRevolutionary Guard Corps, Iran's primary intelligence and military service.\r\nhttps://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/\r\nPage 1 of 3\n\nAccording to Microsoft's Digital Defense Report, this group has historically targeted NGOs, intergovernmental\r\norganizations, government humanitarian aid, and human rights organizations.\r\nNonetheless, Microsoft says that Mercury's most recent targets included \"a high number of targets involved in\r\nwork with refugees\" and \"network technology providers in the Middle East.\"\r\nAttacks began after public Zerologon PoC\r\nZerologon was described by many as the most dangerous bug disclosed this year. The bug is a vulnerability in\r\nNetlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain\r\ncontroller.\r\nExploiting the Zerologon bug can allow hackers to take over an unpatched domain controller, and inherently a\r\ncompany's internal network.\r\nAttacks usually need to be carried out from internal networks, but if the domain controller is exposed online, they\r\ncan also be carried out remotely over the internet.\r\nMicrosoft issued patches for Zerologon (CVE-2020-1472) in August, but the first detailed write-up about this bug\r\nwas published in September, delaying most of the attacks.\r\nBut while security researchers delayed publishing details to give system administrators more time to patch,\r\nweaponized proof-of-concept code for Zerologon was published almost on the same day as the detailed write-up,\r\nspurring a wave of attacks within days.\r\nFollowing the bug's disclosure, DHS gave federal agencies three days to patch domain controllers or disconnect\r\nthem from federal networks in order to prevent attacks, which the agency was expecting to come -- and they did,\r\ndays later.\r\nMicrosoft is actively tracking threat actor activity using exploits for the CVE-2020-1472\r\nNetlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public\r\nexploits have been incorporated into attacker playbooks.\r\n— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020\r\nThe MERCURY attacks appear to have begun around one week after this proof-of-concept code was published,\r\nand around the same time, Microsoft began detecting the first Zerologon exploitation attempts.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nhttps://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/\r\nPage 2 of 3\n\nEditorial standards\r\nSource: https://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/\r\nhttps://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/" ], "report_names": [ "microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability" ], "threat_actors": [ { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f6a1910aaf67e0361997684a07c15385278b4a6.pdf", "text": "https://archive.orkl.eu/3f6a1910aaf67e0361997684a07c15385278b4a6.txt", "img": "https://archive.orkl.eu/3f6a1910aaf67e0361997684a07c15385278b4a6.jpg" } }