{
	"id": "6dc8fafe-f601-4530-97ef-fba410c09462",
	"created_at": "2026-04-06T00:18:13.042818Z",
	"updated_at": "2026-04-10T03:21:33.181474Z",
	"deleted_at": null,
	"sha1_hash": "7f09d31ad825c7156ea80a29839caa756a779612",
	"title": "BirdyClient malware leverages Microsoft Graph API for C\u0026C communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38685,
	"plain_text": "BirdyClient malware leverages Microsoft Graph API for C\u0026C\r\ncommunication\r\nArchived: 2026-04-05 20:42:50 UTC\r\nAn increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate\r\ncommunications with command-and-control (C\u0026C) infrastructure hosted on Microsoft cloud services. The\r\ntechnique was most recently used in an attack against an organization in Ukraine, where a previously\r\nundocumented piece of malware called BirdyClient used the Graph API to leverage Microsoft OneDrive for C\u0026C\r\npurposes.\r\nRead more in our blog: Graph: Growing number of threats leveraging Microsoft API\r\nSymantec protects you from this threat, identified by the following:\r\nAdaptive-based\r\nACM.Ps-Rd32!g1\r\nACM.Untrst-RunSys!g1\r\nBehavior-based\r\nSONAR.TCP!gen6\r\nCarbon Black-based\r\nAssociated malicious indicators are blocked and detected by existing policies within VMware Carbon\r\nBlack products. The recommended policy at a minimum is to block all types of malwares from executing\r\n(Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from\r\nVMware Carbon Black Cloud reputation service.\r\nFile-based\r\nBackdoor.Graphican\r\nBackdoor.Graphon\r\nTrojan Horse\r\nTrojan.BirdyClient\r\nTrojan.Gen.2\r\nTrojan.Gen.9\r\nTrojan.Gen.MBT\r\nWS.Malware.2\r\nMachine Learning-based\r\nHeur.AdvML.A!300\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication\r\nPage 1 of 2\n\nHeur.AdvML.A!400\r\nHeur.AdvML.A!500\r\nHeur.AdvML.B\r\nHeur.AdvML.B!100\r\nHeur.AdvML.B!200\r\nHeur.AdvML.C\r\nSource: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-co\r\nmmunication\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication"
	],
	"report_names": [
		"birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication"
	],
	"threat_actors": [],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f09d31ad825c7156ea80a29839caa756a779612.pdf",
		"text": "https://archive.orkl.eu/7f09d31ad825c7156ea80a29839caa756a779612.txt",
		"img": "https://archive.orkl.eu/7f09d31ad825c7156ea80a29839caa756a779612.jpg"
	}
}