{ "id": "27fed2c0-88b7-4b3a-8e93-1af531eac8f0", "created_at": "2026-04-06T00:20:01.29197Z", "updated_at": "2026-04-10T13:12:22.872353Z", "deleted_at": null, "sha1_hash": "6bf7d0945e0ff90bcf4fe1449dd60c9855d68602", "title": "Microsoft: Hackers target defense firms with new FalseFont malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2894181, "plain_text": "Microsoft: Hackers target defense firms with new FalseFont malware\r\nBy Sergiu Gatlan\r\nPublished: 2023-12-21 · Archived: 2026-04-05 13:19:50 UTC\r\nMicrosoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack\r\ndefense contractors worldwide.\r\n\"Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor\r\nnamed FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector,\" the company said.\r\nThe DIB sector targeted in these attacks comprises over 100,000 defense companies and subcontractors involved in\r\nresearching and developing military weapons systems, subsystems, and components.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAlso tracked as Peach Sandstorm, HOLMIUM, or Refined Kitten, this hacking group has been active since at least 2013.\r\nTheir targets span a wide range of industry sectors across the United States, Saudi Arabia, and South Korea, including\r\ngovernment, defense, research, finance, and engineering verticals.\r\nFalseFont, the custom backdoor deployed in the campaign unveiled by Microsoft today, provides its operators remote access\r\nto compromised systems, file execution, and file transfer to its command-and-control (C2) servers.\r\nAccording to Microsoft, this malware strain was first observed in the wild around early November 2023.\r\n\"The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past\r\nyear, suggesting that Peach Sandstorm is continuing to improve their tradecraft,\" Redmond said.\r\nNetwork defenders are advised to reset credentials for accounts targeted in password spray attacks to reduce the attack\r\nsurface targeted by APT33 hackers.\r\nThey should also revoke session cookies and secure accounts and RDP or Windows Virtual Desktop endpoints using multi-factor authentication (MFA).\r\nDefense contractors under attack\r\nIn September, Microsoft warned of another campaign coordinated by the APT33 threat group that targeted thousands of\r\norganizations worldwide, including in the defense sector, in extensive password spray attacks since February 2023.\r\n\"Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate\r\nto thousands of environments,\" the Microsoft Threat Intelligence team said.\r\n\"Throughout 2023, Peach Sandstorm has consistently demonstrated interest in US and other country's organizations in the\r\nsatellite, defense, and to a lesser extent, pharmaceutical sectors.\"\r\nThe attacks resulted in data theft from a limited number of victims in the defense, satellite, and pharmaceutical sectors.\r\nAn Iran-linked hacking group dubbed DEV-0343 by researchers at Microsoft Threat Intelligence Center (MSTIC) also\r\nattacked U.S. and Israeli defense tech companies two years ago, according to an October 2012 Microsoft report.\r\nIn recent years, defense agencies and contractors around the world have also landed in the crosshairs of Russian, North\r\nKorean, and Chinese state hackers.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/" ], "report_names": [ "microsoft-hackers-target-defense-firms-with-new-falsefont-malware" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "c4cd33a4-3ec0-4a21-b20f-99d3b7cc6525", "created_at": "2024-01-09T02:00:04.205662Z", "updated_at": "2026-04-10T02:00:03.511121Z", "deleted_at": null, "main_name": "Gray Sandstorm", "aliases": [ "DEV-0343" ], "source_name": "MISPGALAXY:Gray Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bf7d0945e0ff90bcf4fe1449dd60c9855d68602.pdf", "text": "https://archive.orkl.eu/6bf7d0945e0ff90bcf4fe1449dd60c9855d68602.txt", "img": "https://archive.orkl.eu/6bf7d0945e0ff90bcf4fe1449dd60c9855d68602.jpg" } }