{
	"id": "28299220-c355-4b7c-859b-d419f5537c76",
	"created_at": "2026-04-06T02:11:42.8168Z",
	"updated_at": "2026-04-10T03:34:00.50833Z",
	"deleted_at": null,
	"sha1_hash": "772aab00cf867ab06a42f034a3bfde7a2b5793a4",
	"title": "Cyberattacks target international conference attendees",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 150004,
	"plain_text": "Cyberattacks target international conference attendees\r\nBy Tom Burt\r\nPublished: 2020-10-28 · Archived: 2026-04-06 01:30:40 UTC\r\nToday, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor\r\nPhosphorus masquerading as conference organizers to target more than 100 high-profile individuals. Phosphorus,\r\nan Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference\r\nand the Think 20 (T20) Summit in Saudi Arabia. The Munich Security Conference is the most important gathering\r\non the topic of security for heads of state and other world leaders, and it has been held annually for nearly 60\r\nyears. Likewise, T20 is a highly visible event that shapes policy ideas for the G20 nations and informs their\r\ncritical discussions.\r\nBased on current analysis, we do not believe this activity is tied to the U.S. elections in any way.\r\nThe attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect\r\nEnglish and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering\r\nremote sessions.\r\nWe believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were\r\nsuccessful in compromising several victims, including former ambassadors and other senior policy experts who\r\nhelp shape global agendas and foreign policies in their respective countries.\r\nFigure 1: Flow of a typical Phosphorus attack in this campaign\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/\r\nPage 1 of 3\n\nThis activity was uncovered by Microsoft’s Threat Intelligence Center, or MSTIC, which tracks the world’s\r\nnation-state and cybercrime actors so we can better protect our customers. MSTIC is also critical to the work of\r\nour Defending Democracy Program, powering our AccountGuard threat notification service available in 30\r\ncountries worldwide and fueling the intelligence we share to help keep elections secure. We build new protections\r\ninto our products regularly based on the threats MSTIC uncovers.\r\nWe’ve already worked with conference organizers who have warned and will continue to warn their attendees, and\r\nwe’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection\r\nwith other conferences or events.\r\nWe recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that\r\nthe sender address looks legitimate and that any embedded links redirect to the official conference domain. As\r\nalways, enabling multi-factor authentication across both business and personal email accounts will successfully\r\nthwart most credential harvesting attacks like these. For anyone who suspects they may have been a victim of this\r\ncampaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any\r\nsuspicious rules that may have been set during a successful compromise.\r\nWe are also sharing the indicators of compromise (IOCs) observed during these activities. We encourage IT teams\r\nto implement detections and protections to identify possible prior campaigns and prevent future campaigns against\r\ntheir users. These indicators include phony email accounts and domains or websites used to steal victims’\r\ncredentials.\r\nINDICATOR   TYPE   DESCRIPTION  \r\nt20saudiarabia[@]outlook.sa  Email\r\nMasquerading as the organizer of the Think 20 (T20)\r\nconference\r\nt20saudiarabia[@]hotmail.com   Email\r\nMasquerading as the organizer of the Think 20 (T20)\r\nconference\r\nt20saudiarabia[@]gmail.com  Email\r\nMasquerading as the organizer of the Think 20 (T20)\r\nconference\r\nmunichconference[@]outlook.com   Email\r\nMasquerading as the organizer of the Munich\r\nSecurity Conference\r\nmunichconference[@]outlook.de   Email\r\nMasquerading as the organizer of the Munich\r\nSecurity Conference\r\nmunichconference1962[@]gmail.com  Email\r\nMasquerading as the organizer of the Munich\r\nSecurity Conference\r\nde-ma[.]online Domain Domain used for credential harvesting\r\ng20saudi.000webhostapp[.]com Subdomain Subdomain used for credential harvesting\r\nksat20.000webhostapp[.]com Subdomain Subdomain used for credential harvesting\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/\r\nPage 2 of 3\n\nAs we noted in our recent Digital Defense Report, nation-state cyberattackers routinely pursue think tanks, policy\r\norganizations and governmental and non-governmental organizations, seeking information that an attacker can use\r\nfor their benefit. We will continue to use a combination of technology, operations, legal action and policy to\r\ndisrupt and deter malicious activity, but nothing replaces vigilance from people who are likely targets of these\r\noperations.\r\nTags: cyberattacks, cybersecurity, Defending Democracy Program, Microsoft AccountGuard, Microsoft Threat\r\nIntelligence Center, MSTIC\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/"
	],
	"report_names": [
		"cyberattacks-phosphorus-t20-munich-security-conference"
	],
	"threat_actors": [
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7",
			"created_at": "2025-08-07T02:03:24.764883Z",
			"updated_at": "2026-04-10T02:00:03.611225Z",
			"deleted_at": null,
			"main_name": "COBALT MIRAGE",
			"aliases": [
				"DEV-0270 ",
				"Nemesis Kitten ",
				"PHOSPHORUS ",
				"TunnelVision ",
				"UNC2448 "
			],
			"source_name": "Secureworks:COBALT MIRAGE",
			"tools": [
				"BitLocker",
				"Custom powershell scripts",
				"DiskCryptor",
				"Drokbk",
				"FRPC",
				"Fast Reverse Proxy (FRP)",
				"Impacket wmiexec",
				"Ngrok",
				"Plink",
				"PowerLessCLR",
				"TunnelFish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441502,
	"ts_updated_at": 1775792040,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/772aab00cf867ab06a42f034a3bfde7a2b5793a4.pdf",
		"text": "https://archive.orkl.eu/772aab00cf867ab06a42f034a3bfde7a2b5793a4.txt",
		"img": "https://archive.orkl.eu/772aab00cf867ab06a42f034a3bfde7a2b5793a4.jpg"
	}
}