{ "id": "2c18365d-f3a1-4002-9dc2-d350b8e757a0", "created_at": "2026-04-06T00:13:07.663165Z", "updated_at": "2026-04-10T03:36:17.211547Z", "deleted_at": null, "sha1_hash": "a34004b4d275114730ef1bad6c4a675d2a04f01d", "title": "Threat intelligence | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249262, "plain_text": "Threat intelligence | Microsoft Security Blog\r\nPublished: 2026-04-01 · Archived: 2026-04-05 21:27:36 UTC\r\nThe Microsoft Threat Intelligence community is made up of world-class experts, security researchers, analysts,\r\nand threat hunters who analyze 100 trillion signals daily to discover threats and deliver timely and timely, relevant\r\ninsight to protect customers. See our latest findings, insights, and guidance.\r\nFiltered by\r\nClear All\r\nThreat intelligence\r\nRefine results\r\nMitigating the Axios npm supply chain compromise\r\nhttps://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility\r\nPage 1 of 3\n\nOn March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly\r\npublished npm packages for version updates to download from command and control (C2) that Microsoft\r\nThreat Intelligence has attributed to the North Korean state actor Sapphire Sleet.\r\nWhen tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures\r\nDuring tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive\r\nemails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to\r\npush malicious attachments, links, or QR codes.\r\nStorm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft\r\nStorm-2561 uses SEO poisoning to push fake VPN downloads that install signed trojans and steal VPN\r\ncredentials.\r\nAI as tradecraft: How threat actors operationalize AI\r\nThreat actors are operationalizing AI to scale and sustain malicious activity, accelerating tradecraft and\r\nincreasing risk for defenders, as illustrated by recent activity from North Korean groups such as Jasper\r\nSleet and Coral Sleet (formerly Storm-1877).\r\nInside Tycoon2FA: How a leading AiTM phishing kit operated at scale\r\nTycoon2FA has become a leading phishing-as-a-service (PhaaS) platforms, enabling campaigns that reach\r\nover 500,000 organizations monthly, prompting Microsoft’s Digital Crimes Unit (DCU) to work with\r\nEuropol and industry partners to facilitate a disruption of Tycoon2FA’s infrastructure and operations.\r\nInside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal\r\noperations\r\nMicrosoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate\r\ncybercriminals purchasing and using to target multiple sectors.\r\nPhishing actors exploit complex routing and misconfigurations to spoof domains\r\nThreat actors are exploiting complex routing scenarios and misconfigured spoof protections to send\r\nspoofed phishing emails, crafted to appear as internally sent messages.\r\nDefending against the CVE-2025-55182 (React2Shell) vulnerability in React Server\r\nComponents\r\nCVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into\r\nit) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server\r\nComponents and related frameworks.\r\nhttps://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility\r\nPage 2 of 3\n\nShai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply\r\nchain attack\r\nThe Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem\r\ncompromises observed recently.\r\nSesameOp: Novel backdoor uses OpenAI Assistants API for command and control\r\nMicrosoft Incident Response – Detection and Response Team (DART) researchers uncovered a new\r\nbackdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface\r\n(API) as a mechanism for command-and-control (C2) communications.\r\nInside the attack chain: Threat activity targeting Azure Blob Storage\r\nAzure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing\r\nmassive amounts of unstructured data at scale across diverse workloads and is increasingly targeted\r\nthrough sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud\r\ntactics.\r\nInvestigating targeted “payroll pirate” attacks affecting US universities\r\nMicrosoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary\r\npayments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”.\r\nSource: https://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility\r\nhttps://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility" ], "report_names": [ "platinum-continues-to-evolve-find-ways-to-maintain-invisibility" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d9069339-ff51-49f4-a04a-90def2a03d20", "created_at": "2026-01-23T02:00:03.280976Z", "updated_at": "2026-04-10T02:00:03.926956Z", "deleted_at": null, "main_name": "Storm-2657", "aliases": [], "source_name": "MISPGALAXY:Storm-2657", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a34004b4d275114730ef1bad6c4a675d2a04f01d.pdf", "text": "https://archive.orkl.eu/a34004b4d275114730ef1bad6c4a675d2a04f01d.txt", "img": "https://archive.orkl.eu/a34004b4d275114730ef1bad6c4a675d2a04f01d.jpg" } }