{ "id": "9c04ea7c-63df-47fc-88d4-400624bfefd2", "created_at": "2026-04-06T00:09:25.783716Z", "updated_at": "2026-04-10T03:37:40.832987Z", "deleted_at": null, "sha1_hash": "8d41c61031d5a8513d30ffd0518a59e9ae0530cd", "title": "Defending against evolving identity attack techniques | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 924908, "plain_text": "Defending against evolving identity attack techniques | Microsoft\r\nSecurity Blog\r\nBy Igor Sakhnov\r\nPublished: 2025-05-29 · Archived: 2026-04-05 13:51:13 UTC\r\nIn today’s evolving cyber threat landscape, threat actors are committed to advancing the sophistication of their\r\nattacks. The increasing adoption of essential security features like multifactor authentication (MFA), passwordless\r\nsolutions, and robust email protections has changed many aspects of the phishing landscape, and threat actors are\r\nmore motivated than ever to acquire credentials—particularly for enterprise cloud environments. Despite these\r\nevolutions, social engineering—the technique of convincing or deceiving users into downloading malware,\r\ndirectly divulging credentials, or more—remains a key aspect of phishing attacks.\r\nImplementing phishing-resistant and passwordless solutions, such as passkeys, can help organizations improve\r\ntheir security stance against advanced phishing attacks. Microsoft is dedicated to enhancing protections against\r\nphishing attacks and making it more challenging for threat actors to exploit human vulnerabilities. In this blog, I’ll\r\ncover techniques that Microsoft has observed threat actors use for phishing and social engineering attacks that aim\r\nto compromise cloud identities. I’ll also share what organizations can do to defend themselves against this\r\nconstant threat.\r\nWhile the examples in this blog do not represent the full range of phishing and social engineering attacks being\r\nleveraged against enterprises today, they demonstrate several efficient techniques of threat actors tracked by\r\nMicrosoft Threat Intelligence. Understanding these techniques and hardening your organization with the guidance\r\nincluded here will help contribute to a significant part of your defense-in-depth approach.\r\nPre-compromise techniques for stealing identities\r\nModern phishing techniques attempt to defeat authentication flows\r\nAdversary-in-the-middle (AiTM)\r\nToday’s authentication methods have changed the phishing landscape. The most prevalent example is the increase\r\nin adversary-in-the-middle (AiTM) credential phishing as the adoption of MFA grows. The phish kits available\r\nfrom phishing-as-a-service (PhaaS) platforms has further increased the impact of AiTM threats; the Evilginx phish\r\nkit, for example, has been used by multiple threat actors in the past year, from the prolific phishing operator\r\nStorm-0485 to the Russian espionage actor Star Blizzard.\r\nEvilginx is an open-source framework that provides AiTM capabilities by deploying a proxy server between a\r\ntarget user and the website that the user wishes to visit (which the threat actor impersonates). Microsoft tracked\r\nStorm-0485 directing targets to Evilginx infrastructure using lures with themes such as payment remittance,\r\nshared documents, and fake LinkedIn account verifications, all designed to prompt a quick response from the\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 1 of 10\n\nrecipient. Storm-0485 also consistently uses evasion tactics, notably passing initial links through obfuscated\r\nGoogle Accelerated Mobile Pages (AMP) URLs to make links harder to identify as malicious.\r\nFigure 1. Example of Storm-0485’s fake LinkedIn verify account lure\r\nTo protect against AiTM attacks, consider complementing MFA with risk-based Conditional Access policies,\r\navailable in Microsoft Entra ID Protection, where sign-in requests are evaluated using additional identity-driven\r\nsignals like IP address location information or device status, among others. These policies use real-time and\r\noffline detections to assess the risk level of sign-in attempts and user activities. This dynamic evaluation helps\r\nmitigate risks associated with token replay and session hijacking attempts common in AiTM phishing campaigns.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 2 of 10\n\nAdditionally, consider implementing Zero Trust network security solutions, such as Global Secure Access which\r\nprovides a unified pane of glass for secure access management of networks, identities, and endpoints.\r\nDevice code phishing\r\nDevice code phishing is a relatively new technique that has been incorporated by multiple threat actors into their\r\nattacks. In device code phishing, threat actors like Storm-2372 exploit the device code authentication flow to\r\ncapture authentication tokens, which they then use to access target accounts. Storm-1249, a China-based\r\nespionage actor, typically uses generic phishing lures—with topics like taxes, civil service, and even book pre-orders—to target high-level officials at organizations of interest. Microsoft has also observed device code phishing\r\nbeing used for post-compromise activity, which are discussed more in the next sections.\r\nAt Microsoft, we strongly encourage organizations to block device code flow where possible; if needed, configure\r\nMicrosoft Entra ID’s device code flow in your Conditional Access policies.\r\nOAuth consent phishing\r\nAnother modern phishing technique is OAuth consent phishing, where threat actors employ the Open\r\nAuthorization (OAuth) protocol and send emails with a malicious consent link for a third-party application. Once\r\nthe target clicks the link and authorizes the application, the threat actor gains access tokens with the requested\r\nscopes and refresh tokens for persistent access to the compromised account. In one OAuth consent phishing\r\ncampaign recently identified by Microsoft, even if a user declines the requested app permissions (by clicking\r\nCancel on the prompt), the user is still sent to the app’s reply URL, and from there redirected to an AiTM domain\r\nfor a second phishing attempt.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 3 of 10\n\nFigure 2. OAuth app prompt seeks account permissions\r\nYou can prevent employees from providing consent to specific apps or categories of apps that are not approved by\r\nyour organization by configuring app consent policies to restrict user consent operations. For example, configure\r\npolicies to allow user consent only to apps requesting low-risk permissions with verified publishers, or apps\r\nregistered within your tenant.\r\nDevice join phishing\r\nFinally, it’s worth highlighting recent device join phishing operations, where threat actors use a phishing link to\r\ntrick targets into authorizing the domain-join of an actor-controlled device. Since April 2025, Microsoft has\r\nobserved suspected Russian-linked threat actors using third-party application messages or emails referencing\r\nupcoming meeting invitations to deliver a malicious link containing valid authorization code. When clicked, the\r\nlink returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the\r\ntenant. You can harden against this type of phishing attack by requiring authentication strength for device\r\nregistration in your environment.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 4 of 10\n\nLures remain an effective phishing weapon\r\nWhile both end users and automated security measures have become more capable at identifying malicious\r\nphishing attachments and links, motivated threat actors continue to rely on exploiting human behavior with\r\nconvincing lures. As these attacks hinge on deceiving users, user training and awareness of commonly identified\r\nsocial engineering techniques are key to defending against them.\r\nImpersonation lures\r\nOne of the most effective ways Microsoft has observed threat actors deliver lures is by impersonating people\r\nfamiliar to the target or using malicious infrastructure spoofing legitimate enterprise resources. In the last year,\r\nStar Blizzard has shifted from primarily using weaponized document attachments in emails to spear phishing with\r\na malicious link leading to an AiTM page to target the government, non-governmental organizations (NGO), and\r\nacademic sectors. The threat actor’s highly personalized emails impersonate individuals from whom the target\r\nwould reasonably expect to receive emails, including known political and diplomatic figures, making the target\r\nmore likely to be deceived by the phishing attempt.\r\nFigure 3. Star Blizzard file share spear-phishing email\r\nQR codes\r\nWe have seen threat actors regularly iterating on the types of lure links incorporated into their attacks to make\r\nsocial engineering more effective. As QR codes have become a ubiquitous feature in communications, threat\r\nactors have adopted their use as well. For example, over the past two years, Microsoft has seen multiple actors\r\nincorporate QR codes, encoded with links to AiTM phishing pages, into opportunistic tax-themed phishing\r\ncampaigns.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 5 of 10\n\nThe threat actor Star Blizzard has even leveraged nonfunctional QR codes as a part of a spear-phishing campaign\r\noffering target users an opportunity to join a WhatsApp group: the initial spear-phishing email contained a broken\r\nQR code to encourage the targeted users to contact the threat actor. Star Blizzard’s follow-on email included a\r\nURL that redirected to a webpage with a legitimate QR code, used by WhatsApp for linking a device to a user’s\r\naccount, giving the actor access to the user’s WhatsApp account.\r\nUse of AI\r\nThreat actors are increasingly leveraging AI to enhance the quality and volume of phishing lures. As AI tools\r\nbecome more accessible, these actors are using them to craft more convincing and sophisticated lures. In a\r\ncollaboration with OpenAI, Microsoft Threat Intelligence has seen threat actors such as Emerald Sleet and\r\nCrimson Sandstorm interacting with large language models (LLMs) to support social engineering operations. This\r\nincludes activities such as drafting phishing emails and generating content likely intended for spear-phishing\r\ncampaigns.\r\nWe have also seen suspected use of generative AI to craft messages in a large-scale credential phishing campaign\r\nagainst the hospitality industry, based on the variations of language used across identified samples. The initial\r\nemail contains a request for information designed to elicit a response from the target and is then followed by a\r\nmore generic phishing email containing a lure link to an AiTM phishing site.\r\nFigure 4. One of multiple suspected AI-generated phishing email in a widespread phishing\r\ncampaign\r\nAI helps eliminate the common grammar mistakes and awkward phrasing that once made phishing attempts easier\r\nto spot. As a result, today’s phishing lures are more polished and harder for users to detect, increasing the\r\nlikelihood of successful compromise. This evolution underscores the importance of securing identities in addition\r\nto user awareness training.\r\nPhishing risks continue to expand beyond email\r\nEnterprise communication methods have diversified to support distributed workforce and business operations, so\r\nphishing has expanded well beyond email messages. Microsoft has seen multiple threat actors abusing enterprise\r\ncommunication applications to deliver phishing messages, and we’ve also observed continued interest by threat\r\nactors to leverage non-enterprise applications and social media sites to reach targets.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 6 of 10\n\nTeams phishing\r\nMicrosoft Threat Intelligence has been closely tracking and responding to the abuse of the Microsoft Teams\r\nplatform in phishing attacks and has taken action against confirmed malicious tenants by blocking their ability to\r\nsend messages. The cybercrime access broker Storm-1674, for example, creates fraudulent tenants to create Teams\r\nmeetings to send chat messages to potential victims using the meeting’s chat functionality; more recently, since\r\nNovember 2024, the threat actor has started compromising tenants and directly calling users over Teams to phish\r\nfor credentials as well. Businesses can follow our security best practices for Microsoft Teams to further defend\r\nagainst attacks from external tenants.\r\nOutside of business-managed applications, employees’ activity on social media sites and third-party\r\ncommunication platforms has widened the digital footprint for phishing attacks. For instance, while the Iranian\r\nthreat actor Mint Sandstorm primarily uses spear-phishing emails, they have also sent phishing links to targets on\r\nsocial media sites, including Facebook and LinkedIn, to target high-profile individuals in government and politics.\r\nMint Sandstorm, like many threat actors, also customizes and enhances their phishing messages by gathering\r\npublicly available information, such as personal email addresses and contacts, of their targets on social media\r\nplatforms. Global Secure Access (GSA) is one solution that can reduce this type of phishing activity and manage\r\naccess to social media sites on company-owned devices.\r\nPost-compromise identity attacks\r\nIn addition to using phishing techniques for initial access, in some cases threat actors leverage the identity\r\nacquired from their first-stage phishing attack to launch subsequent phishing attacks. These follow-on phishing\r\nactivities enable threat actors to move laterally within an organization, maintain persistence across multiple\r\nidentities, and potentially acquire access to a more privileged account or to a third-party organization.\r\nYou can harden your environment against internal phishing activity by configuring the Microsoft Defender for\r\nOffice 365 Safe Links policy to apply to internal recipients as well as by educating users to be wary of unsolicited\r\ndocuments and to report suspected phishing messages.\r\nAiTM phishing crafted using legitimate company resources\r\nStorm-0539, a threat actor that persistently targets the retail industry for gift card fraud, uses their initial access to\r\na compromised identity to acquire legitimate emails—such as help desk tickets—that serve as templates for\r\nphishing emails. The crafted emails contain links directing users to AiTM phishing pages that mimic the federated\r\nidentity service provider of the compromised organization. Because the emails resemble the organization’s\r\nlegitimate messages, lead to convincing AiTM landing pages, and are sent from an internal account, they could be\r\nhighly convincing. In this way, Storm-0539 moves laterally, seeking an identity with access to key cloud\r\nresources.\r\nIntra-organization device code phishing\r\nIn addition to their use of device code phishing for initial access, Storm-2372 also leverages this technique in their\r\nlateral movement operations. The threat actor uses compromised accounts to send out internal emails with subjects\r\nsuch as “Document to review” and containing a device code authentication phishing payload. Because of the way\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 7 of 10\n\ndevice code authentication works, the payloads only work for 15 minutes, so Microsoft has seen multiple waves of\r\npost-compromise phishing attacks as the threat actor searches for additional credentials.\r\nFigure 5. Storm-2372 lateral movement attempt contains device code phishing payload\r\nDefending against credential phishing and social engineering\r\nDefending against phishing attacks begins at the primary gateways: email and other communication\r\nplatforms. Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office\r\n365, or the equivalent for your email security solution, to ensure your organization has established essential\r\ndefenses and knows how to monitor and respond to threat activity.\r\nA holistic security posture for phishing must also account for the human aspect of social engineering. Investing in\r\nuser awareness training and phishing simulations is critical for arming employees with the needed knowledge\r\nto defend against tried-and-true social engineering methods. Training can also help when threat actors inevitably\r\nrefine and improve their techniques. Attack simulation training in Microsoft Defender for Office 365, which also\r\nincludes simulating phishing messages in Microsoft Teams, is one approach to running realistic attack scenarios in\r\nyour organization.\r\nHardening credentials and cloud identities is also necessary to defend against phishing attacks. By\r\nimplementing the principles of least privilege and Zero Trust, you can significantly slow down determined threat\r\nactors who may have been able to gain initial access and buy time for defenders to respond. To get started, follow\r\nour steps to configure Microsoft Entra with increased security.\r\nAs part of hardening cloud identities, authentication using passwordless solutions like passkeys is essential,\r\nand implementing MFA remains a core pillar in identity security. Use the Microsoft Authenticator app for\r\npasskeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated\r\nusing additional identity-driven signals. Conditional access policies can also be scoped to strengthen privileged\r\naccounts with phishing resistant MFA. Your passkey and MFA policy can be further secured by only allowing\r\nMFA and passkey registrations from trusted locations and devices.\r\nFinally, a Security Service Edge solution like Global Secure Access (GSA) provides identity-focused secure\r\nnetwork access. GSA can help to secure access to any app or resource using network, identity, and endpoint access\r\ncontrols.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 8 of 10\n\nAmong Microsoft Incident Response cases over the past year where we identified the initial access vector, almost\r\na quarter incorporated phishing or social engineering. To achieve phishing resistance and limit the opportunity to\r\nexploit human behavior, begin planning for passkey rollouts in your organization today, and  at a minimum,\r\nprioritize phishing-resistant MFA for privileged accounts as you evaluate the effect of this security measure on\r\nyour wider organization. In the meantime, use the other defense-in-depth approaches I’ve recommended in this\r\nblog to defend against phishing and social engineering attacks.\r\nStay vigilant and prioritize your security at every step.\r\nRecommendations\r\nSeveral recommendations were made throughout this blog to address some of the specific techniques being used\r\nby threat actors tracked by Microsoft, along with essential practices for securing identities. Here is a consolidated\r\nlist for your security team to evaluate.\r\nConfigure Microsoft Entra with increased security.\r\nUse the Microsoft Authenticator app for passkeys and MFA.\r\nStrengthen privileged accounts with phishing resistant MFA.\r\nComplement MFA with risk-based Conditional Access policies, where sign-in requests are evaluated using\r\nadditional identity-driven signals like IP address location information or device status, among others.\r\nImplementing Microsoft Entra ID Protection with these policies can automatically block or challenge\r\naccess based on indicators like unfamiliar sign-in patterns or potential token theft attempts. When\r\ncombined with Global Secure Access (GSA), organizations can extend this protection by enforcing\r\nConditional Access decisions at the network layer to help secure access to any app or resource.\r\nOnly allowing MFA and passkey registrations from trusted locations and devices.\r\nReview our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.\r\nUse attack simulation training in Microsoft Defender for Office 365, which also includes simulating\r\nphishing messages in Microsoft Teams, to run realistic attack scenarios in your organization for educating\r\nusers.\r\nUse Global Secure Access to secure access to any app or resource using network, identity, and endpoint\r\naccess controls.\r\nBlock device code flow where possible; if needed, configure Microsoft Entra ID’s device code flow in your\r\nConditional Access policies.\r\nConfigure app consent policies to restrict user consent operations. For example, configure policies to allow\r\nuser consent only to apps requesting low-risk permissions with verified publishers, or apps registered\r\nwithin your tenant.\r\nRequire authentication strength for device registration in your environment.\r\nFollow our security best practices for Microsoft Teams.\r\nConfigure the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients.\r\nAt Microsoft, we are accelerating security with our work on the Secure by Default framework. Specific Microsoft-managed policies are enabled for every new tenant and raise your security posture with security defaults that\r\nprovide a baseline of protection for Entra ID and resources like Office 365.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 9 of 10\n\nLearn more \r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog. \r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky. \r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast. \r\nSource: https://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/" ], "report_names": [ "defending-against-evolving-identity-attack-techniques" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb317a88-9474-4329-90a0-ae7e632ac75b", "created_at": "2024-02-02T02:00:04.082914Z", "updated_at": "2026-04-10T02:00:03.557196Z", "deleted_at": null, "main_name": "Storm-0539", "aliases": [], "source_name": "MISPGALAXY:Storm-0539", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "eb659063-c5d1-4fff-8b5d-757313579506", "created_at": "2025-03-07T02:00:03.807343Z", "updated_at": "2026-04-10T02:00:03.83499Z", "deleted_at": null, "main_name": "Storm-2372", "aliases": [], "source_name": "MISPGALAXY:Storm-2372", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "fa806f03-ec33-42db-99ee-59db37666ee0", "created_at": "2024-02-02T02:00:04.090714Z", "updated_at": "2026-04-10T02:00:03.566756Z", "deleted_at": null, "main_name": "Storm-1674", "aliases": [], "source_name": "MISPGALAXY:Storm-1674", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d41c61031d5a8513d30ffd0518a59e9ae0530cd.pdf", "text": "https://archive.orkl.eu/8d41c61031d5a8513d30ffd0518a59e9ae0530cd.txt", "img": "https://archive.orkl.eu/8d41c61031d5a8513d30ffd0518a59e9ae0530cd.jpg" } }