{ "id": "95a92435-61a3-4451-b758-bd0c0163e1cb", "created_at": "2026-04-06T00:15:56.427266Z", "updated_at": "2026-04-10T13:12:33.526008Z", "deleted_at": null, "sha1_hash": "961251252785c0928138223d53f8ba7ba0d792ca", "title": "Probing Pawn Storm: Cyberespionage Campaign Through Scanning, Credential Phishing and More", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 276539, "plain_text": "Probing Pawn Storm: Cyberespionage Campaign Through\r\nScanning, Credential Phishing and More\r\nBy By Feike Hacquebord (Trend Micro Research)\r\nArchived: 2026-04-05 18:26:30 UTC\r\n open on a new tabDownload Probing Pawn Storm:\r\nCyberespionage Campaign Through Scanning, Credential Phishing and More\r\nPawn Stormopen on a new tab, an ongoing cyberespionage campaign with activities that can be traced as far back\r\nas 2004, has gained notoriety after aiming cyber-attacks at defense contractor personnel, embassies, and military\r\nforces of the United States and its allies, as well as international media and citizens across different civilian\r\nindustries and sectors, among other targets.\r\nFor years, Trend Micro has been closely monitoring Pawn Storm and its various attack vectors and\r\nmethodologiesopen on a new tab, which have been generally facilitated for geopolitical disruption and espionage.\r\nThis newer operation has employed a number of attack methods, including the use of spear-phishing emails\r\nagainst high-profile targets, a staple in Pawn Storm's arsenal. Here are some of the many threats the group has\r\nwielded against its targets:\r\nWatering hole attacksopen on a new tab against compromised websites frequently visited by targets\r\nOpen Authentication (OAuth) abuseopen on a new tab for compromising targets in advanced social\r\nengineering schemes\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more\r\nPage 1 of 4\n\nPrivate exploit kitopen on a new tab that included zero-days and common vulnerabilities used to infect\r\ntargets\r\niOS spywareopen on a new tab specifically designed for espionage\r\nTabnabbingopen on a new tab for persuading users into submitting credentials to known (impersonated)\r\nsites\r\nWe have uncovered more information on the group's current attack methods, which primarily centered on\r\nscanning for servers and credential phishingopen on a new tab among high-profile entities. Below we give an\r\noverview of our other notable findings from the past year.\r\nopen on a new tab\r\nThe setup Pawn Storm frequently used to send out credential phishing spam in 2019\r\nSince May 2019, Pawn Storm has been abusing compromised email addresses to send credential phishing spam.\r\nThe majority of the compromised systems were from defense companies in the Middle East. Other targets\r\nincluded organizations in the transportation, utilities, and government sectors.\r\nPawn Storm also regularly probed many email and Microsoft Exchange Autodiscover servers across the world.\r\nThe group looked for vulnerable systems in an attempt to brute force credentials, exfiltrate email data, and send\r\nout waves of spam.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more\r\nPage 2 of 4\n\nopen on a new tab\r\nThe setup we used to monitor Pawn Storm's email campaigns for more than two years\r\nOur more than two-year-long monitoring of all DNS requests for Pawn Storm's domains also enabled us to\r\nmonitor and detect credential phishing campaigns that the group has facilitated from their servers from 2017 to\r\n2019. The campaigns included spam waves against webmail providers in the United States, Russia, and Iran.\r\nOur research, \"Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targetsopen on\r\na new tab,\" covers these developments and the group's other noteworthy activities, what organizations can best do\r\nto minimize the risk of compromise across all layers, and indicators of compromise.\r\nTrend Micro Solutions\r\nOrganizations and governments can benefit from advanced Trend Micro solutions that can proactively keep IT\r\nenvironments protected from a wide range of cybersecurity threats. The Trend MicroTM XDRopen on a new tab\r\nsolution effectively protects connected emails, endpoints, servers, cloud workloads, and networks. Trend Micro\r\nXDR uses powerful AI and expert security analytics to correlate data, as well as deliver fewer yet higher-fidelity\r\nalerts for early threat detection. In a single console, it provides a broader perspective of enterprise systems while at\r\nthe same time giving a more focused and optimized set of alerts. This allows IT security teams to have better\r\ncontext for identifying threats more quickly and therefore to understand and remediate impact much more\r\neffectively.\r\nMeanwhile, Trend Micro Managed XDRopen on a new tab provides expert threat monitoring, correlation, and\r\nanalysis from skilled and seasoned Managed Detection and Response analysts. Managed XDR is a flexible, 24/7\r\nservice that allows organizations to have one single source of detection, analysis, and response. Analyst expertise\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more\r\nPage 3 of 4\n\nis enhanced by Trend Micro solutions that are optimized by AI and enriched by global threat intelligence. The\r\nManaged XDR service allows organizations to expand with the cloud without sacrificing security or\r\noverburdening IT teams.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-cr\r\nedential-phishing-and-more\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more" ], "report_names": [ "probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/961251252785c0928138223d53f8ba7ba0d792ca.pdf", "text": "https://archive.orkl.eu/961251252785c0928138223d53f8ba7ba0d792ca.txt", "img": "https://archive.orkl.eu/961251252785c0928138223d53f8ba7ba0d792ca.jpg" } }