{ "id": "0b1868e1-e651-4402-bff0-58edbb01be87", "created_at": "2026-04-06T00:10:07.791174Z", "updated_at": "2026-04-10T03:35:53.458056Z", "deleted_at": null, "sha1_hash": "7fcf9c473901c9712c99d5e03246e795065f4415", "title": "Incident response Insights | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 242580, "plain_text": "Incident response Insights | Microsoft Security Blog\r\nPublished: 2026-03-16 · Archived: 2026-04-05 20:56:21 UTC\r\nIncident response is the process of detecting, investigating, and responding to cyberattacks, security breaches, or\r\nIT incidents. Explore the latest trends and intelligence-driven strategies that help you prevent future attacks.\r\nFiltered by\r\nClear All\r\nIncident response\r\nRefine results\r\nHelp on the line: How a Microsoft Teams support call led to compromise\r\nhttps://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/\r\nPage 1 of 3\n\nA DART investigation into a Microsoft Teams voice phishing attack shows how deception and trusted tools\r\ncan enable identity-led intrusions and how to stop them.\r\nExplore the latest Microsoft Incident Response proactive services for enhanced resilience\r\nThe new proactive services from Microsoft Incident Response turn security uncertainty into readiness with\r\nexpert‑led preparation and advanced intelligence.\r\nIntroducing the Microsoft Defender Experts Suite: Elevate your security with expert-led\r\nservices\r\nAnnouncing Microsoft Defender Experts Suite, a integrated set of expert-led services that helps security\r\nteams keep pace with modern cyberattacks.\r\nSesameOp: Novel backdoor uses OpenAI Assistants API for command and control\r\nMicrosoft Incident Response – Detection and Response Team (DART) researchers uncovered a new\r\nbackdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface\r\n(API) as a mechanism for command-and-control (C2) communications.\r\nRetail at risk: How one alert uncovered a persistent cyberthreat\r\nIn the latest edition of our Cyberattack Series, we dive into real-world cases targeting retail organizations.\r\nElevate your protection with expanded Microsoft Defender Experts coverage\r\nDefender Experts now offers 24/7, expert-driven protection for cloud workloads, beginning with hybrid\r\nand multicloud servers in Microsoft Defender for Cloud.\r\nStilachiRAT analysis: From system reconnaissance to cryptocurrency theft\r\nMicrosoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which\r\ndemonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate\r\nsensitive data.\r\nBuild a stronger security strategy with proactive and reactive incident response:\r\nCyberattack Series\r\nFind out how a cyberattack by Storm-2077 was halted faster because the Microsoft Incident Response team\r\nis both proactive and reactive at the same time.\r\nThe art and science behind Microsoft threat hunting: Part 3\r\nIn this blog post, read how Microsoft Incident Response leverages three types of threat intelligence to\r\nenhance incident response scenarios.\r\nhttps://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/\r\nPage 2 of 3\n\nWindows Security best practices for integrating and managing security tools\r\nWe examine the recent CrowdStrike outage and provide a technical overview of the root cause.\r\nHow to boost your incident response readiness\r\nDiscover key steps to bolster incident response readiness, from disaster recovery plans to secure\r\ndeployments, guided by insights from the Microsoft Incident Response team.\r\nSource: https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/\r\nhttps://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" ], "report_names": [ "reverse-engineering-dubnium-stage-2-payload-analysis" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fcf9c473901c9712c99d5e03246e795065f4415.pdf", "text": "https://archive.orkl.eu/7fcf9c473901c9712c99d5e03246e795065f4415.txt", "img": "https://archive.orkl.eu/7fcf9c473901c9712c99d5e03246e795065f4415.jpg" } }