{
	"id": "a1e95a82-1cdb-45e5-8d33-0d95916e281b",
	"created_at": "2026-04-06T00:22:10.726475Z",
	"updated_at": "2026-04-10T03:34:24.783873Z",
	"deleted_at": null,
	"sha1_hash": "84319f3dc52080e9a3575970c41c8b1df3b628c8",
	"title": "Microsoft Attributes Charlie Hebdo Attack to NEPTUNIUM | Security Insider",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38784,
	"plain_text": "Microsoft Attributes Charlie Hebdo Attack to NEPTUNIUM |\r\nSecurity Insider\r\nArchived: 2026-04-05 16:44:08 UTC\r\nMicrosoft Threat Intelligence\r\nToday, Microsoft’s Digital Threat Analysis Center (DTAC) is attributing a recent influence operation targeting the\r\nsatirical French magazine Charlie Hebdo to an Iranian nation-state actor. Microsoft calls this actor NEPTUNIUM,\r\nwhich has also been identified by the U.S. Department of Justice as  Emennet Pasargad.\r\nIn early January, a previously unheard-of online group calling itself “Holy Souls,” which we can now identify as\r\nNEPTUNIUM, claimed that it had obtained the personal information of more than 200,000 Charlie Hebdo\r\ncustomers after “gain[ing] access to a database.” As proof, Holy Souls released a sample of the data, which\r\nincluded a spreadsheet detailing the full names, telephone numbers, and home and email addresses of accounts\r\nthat had subscribed to, or purchased merchandise from, the publication. This information, obtained by the Iranian\r\nactor, could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations.\r\nWe believe this attack is a response by the Iranian government to a cartoon contest conducted by Charlie Hebdo.\r\nOne month before Holy Souls conducted its attack, the magazine announced it would be holding an international\r\ncompetition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei. The issue featuring the winning\r\ncartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two\r\nal-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices.\r\nHoly Souls advertised the cache of data for sale for 20 BTC (equal to roughly $340,000 at the time). The release\r\nof the full cache of stolen data – assuming the hackers actually have the data they claim to possess – would\r\nessentially constitute the mass doxing of the readership of a publication that has already been subject to extremist\r\nthreats (2020) and deadly terror attacks (2015). Lest the allegedly stolen customer data be dismissed as fabricated,\r\nFrench paper of record Le Monde was able to verify “with multiple victims of this leak” the veracity of the sample\r\ndocument published by Holy Souls.\r\nAfter Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a\r\nconcerted operation across several social media platforms. This amplification effort made use of a particular set of\r\ninfluence tactics, techniques and procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak\r\ninfluence operations.\r\nThe attack coincided with criticism of the cartoons from the Iranian government. On January 4, Iranian Foreign\r\nMinister Hossein Amir-Abdollahian tweeted: “The insulting and discourteous action of the French publication\r\n[…] against the religious and political-spiritual authority will not be […] left without a response.” That same day,\r\nthe Iranian Foreign Ministry summoned the French Ambassador to Iran over Charlie Hebdo’s “insult.” On January\r\n5, Iran shuttered the French Institute for Research in Iran in what the Iranian Foreign Ministry described as a “first\r\nstep,” and said it would “seriously pursue the case and take the required measures.”\r\nhttps://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/\r\nPage 1 of 2\n\nSource: https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/\r\nhttps://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/"
	],
	"report_names": [
		"iran-response-for-charlie-hebdo-attacks"
	],
	"threat_actors": [
		{
			"id": "07131850-5161-48b8-98be-6b0271d44d0e",
			"created_at": "2024-01-23T13:22:35.085803Z",
			"updated_at": "2026-04-10T02:00:03.521854Z",
			"deleted_at": null,
			"main_name": "Cotton Sandstorm",
			"aliases": [
				"Emennet Pasargad",
				"Holy Souls",
				"MARNANBRIDGE",
				"NEPTUNIUM",
				"HAYWIRE KITTEN"
			],
			"source_name": "MISPGALAXY:Cotton Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84319f3dc52080e9a3575970c41c8b1df3b628c8.pdf",
		"text": "https://archive.orkl.eu/84319f3dc52080e9a3575970c41c8b1df3b628c8.txt",
		"img": "https://archive.orkl.eu/84319f3dc52080e9a3575970c41c8b1df3b628c8.jpg"
	}
}