{ "id": "276c630c-8242-427e-bb1b-09ef2742fee8", "created_at": "2026-04-06T00:12:41.769196Z", "updated_at": "2026-04-10T13:12:27.115719Z", "deleted_at": null, "sha1_hash": "a54bd1f27399a269ee64d956c942f5beec1a9c6b", "title": "Threat actors leverage tax season to deploy tax-themed phishing campaigns | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1334232, "plain_text": "Threat actors leverage tax season to deploy tax-themed phishing\r\ncampaigns | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-04-03 · Archived: 2026-04-05 14:37:38 UTC\r\nMarch 2026 update: Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches\r\nin the United States, and 2026 is no different: When tax season becomes cyberattack season: Phishing and malware\r\ncampaigns using tax-related lures.\r\nAs Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection\r\nmethods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the\r\nRaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like\r\nLatrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.\r\nEvery year, threat actors use various social engineering techniques during tax season to steal personal and financial\r\ninformation, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers\r\ninto revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are\r\nwell-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training. \r\nIn this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax\r\nseason for social engineering. This also includes additional recommendations to help users and organizations defend against\r\ntax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the\r\nobserved campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities\r\nrelated but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not\r\ninitiate contact with taxpayers by email, text messages or social media to request personal or financial information.\r\nBruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails\r\nOn February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United\r\nStates. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus\r\nmalware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing,\r\nat minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails\r\nused in the campaign:\r\nExample email subjects:\r\nNotice: IRS Has Flagged Issues with Your Tax Filing\r\nUnusual Activity Detected in Your IRS Filing\r\nImportant Action Required: IRS Audit\r\nExample PDF attachment names:\r\nlrs_Verification_Form_1773.pdf\r\nlrs_Verification_Form_2182.pdf\r\nlrs_Verification_Form_222.pdf\r\nThe emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL\r\nshortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a\r\ndomain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended\r\non whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat\r\nactor:\r\nIf access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by\r\ncybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI)\r\ncontaining BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.\r\nIf access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to\r\nevade detection by security systems.\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 1 of 9\n\nFigure 1. Sample phishing email that claims to be from the IRS\r\nFigure 2. PDF attachment masquerading as a DocuSign document\r\nLatrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2)\r\nconfigurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that\r\nsplits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed\r\nin February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the\r\ncommand prompt.\r\nBRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it\r\nhas also been exploited by threat actors for post-exploitation activities and C2 operations.\r\nPhishing email with QR code in a PDF links to RaccoonO365 infrastructure\r\nBetween February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United\r\nStates in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a\r\nQR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a\r\nhyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the\r\nrecipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that\r\nprovides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used\r\nto collect the targeted user’s credentials.\r\nThe emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the\r\nemails appear as if they came from an official source. The following display names were observed in these campaigns:\r\nEMPLOYEE TAX REFUND REPORT\r\nProject Funding Request Budget Allocation\r\nInsurance Payment Schedule Invoice Processing\r\nClient Contract Negotiation Service Agreement\r\nAdjustment Review Employee Compensation\r\nTax Strategy Update Campaign Goals\r\nTeam Bonus Distribution Performance Review\r\nproposal request\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 2 of 9\n\nHR|Employee Handbooks\r\nFigure 3. Screenshot of the opened PDF with the QR code\r\nAHKBot delivered in IRS-themed phishing emails\r\nOn February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States.\r\nThe email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.\r\nThe email contained a hyperlink that directed users to download a malicious Excel file. The link\r\n(hxxps://business.google[.]com/website_shared/launch_bw[.]html?\r\nf=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a\r\nlegitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the\r\nmalicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros,\r\na malicious MSI file was downloaded and run.\r\nThe MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run\r\nAutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that\r\nreceives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter\r\nmodule, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the\r\nC2 IP address 181.49.105[.]59 to receive commands and upload screenshots.\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 3 of 9\n\nFigure 4. Screenshot of the email showing the link to download a malicious Excel file\r\nFigure 5. Macro code to install the malicious MSI file from hxxps://acusense[.]ae/umbrella/\r\nGuLoader and Remcos delivered in tax-themed phishing emails\r\nOn March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United\r\nStates, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began\r\nwith a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA.\r\nIf the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click\r\nrates on the malicious payloads due to the established rapport between attacker and recipient.\r\nThe malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file\r\nwas downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the\r\nuser, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader\r\nexecutable, which then installed Remcos.\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 4 of 9\n\nFigure 6. Sample phishing email shows the original benign request for tax filing services, followed by another\r\nemail containing a malicious PDF attachment if the target replies.\r\nFigure 7. The PDF attachment contains a prominent blue “Download” button that links to download of the\r\nmalicious payload. The button is overlaid over a blurred background mimicking a “W-2” tax form, which\r\nfurther contributes to the illusion of the attachment being a legitimate tax file.\r\nGuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based\r\nhosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques,\r\nsuch as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.\r\nRemcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing,\r\nand process manipulation while employing stealth techniques to evade detection.\r\nMitigation and protection guidance\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat.\r\nEducate users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious\r\nactivity.\r\nTurn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have\r\nalready been delivered to mailboxes.\r\nPilot and deploy phishing-resistant authentication methods for users.\r\nEnforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require\r\nMFA from all devices in all locations at all times.\r\nImplement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which\r\nidentifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware.\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 5 of 9\n\nEducate users about using the browser URL navigator to validate that upon clicking a link in search results they have\r\narrived at an expected legitimate domain.\r\nEnable network protection to prevent applications or users from accessing malicious domains and other malicious\r\ncontent on the internet.\r\nConfigure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and\r\nrewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email\r\nmessages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe\r\nLinks scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in\r\nMicrosoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from\r\nmalicious links that are used in phishing and other attacks.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge\r\nmajority of new and unknown variants.\r\nEnable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate\r\naction on alerts to resolve breaches, significantly reducing alert volume.\r\nRun endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious\r\nartifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is\r\nrunning in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated\r\nprotection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and\r\nrespond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:\r\nBackdoor:Win64/BruteRatel\r\nBackdoor:Win32/BruteRatel\r\nTrojan:Win64/BruteRatel\r\nTrojan:Win32/BruteRatel\r\nTrojan:Win64/Latrodectus\r\nTrojan:Win32/Latrodectus\r\nTrojanDownloader:JS/Latrodectus\r\nTrojan:Win32/Remcos\r\nBackdoor:MSIL/Remcos\r\nTrojan:Win32/Guloader\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by\r\nunrelated threat activity and are not monitored in the status cards provided with this report.\r\nPossible Latrodectus activity\r\nBrute Ratel toolkit related behavior\r\nA file or network connection related to ransomware-linked actor Storm-0249 detected\r\nSuspicious phishing activity detected\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts,\r\nhowever, can be triggered by unrelated threat activity.\r\nA potentially malicious URL click was detected \r\nEmail messages containing malicious URL removed after delivery\r\nEmail messages removed after delivery\r\nA user clicked through to a potentially malicious URL\r\nSuspicious email sending patterns detected\r\nEmail reported by user as malware or phish\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 6 of 9\n\nDefender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.\r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following pre-built\r\npromptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft\r\nSentinel.\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender Threat Intelligence\r\nLatrodectus\r\nPhaaS RaccoonO365 campaign\r\nRemcos delivery through tax document lures\r\nStorm-0249 distributes Latrodectus in malvertising campaign\r\nStorm-0249\r\nBrute Ratel C4\r\nQR code phishing with adversary-in-the-middle capability\r\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat\r\nIntelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal\r\nto get more information about this threat actor.\r\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nFurthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both\r\nMicrosoft first-party and third-party data sources.\r\nHunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:\r\nlet lookback = 7d;\r\nlet ioc_ip_addr = dynamic([\"181.49.105.59 \"]);\r\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr)\r\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by\r\nSrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\r\nHunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:\r\nlet\r\nioc_sha_hashes=dynamic([\"fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422\",\"bb3b6262a288610df46f785c57d7f1fa0ebc75178c625\r\n\"3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960\",\"165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5\",\"a\r\n\"a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727\",\"0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a\",\"4\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 7 of 9\n\nimFileEvent\r\n| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)\r\n| extend AccountName = tostring(split(User, @'\\')[1]), AccountNTDomain = tostring(split(User, @'\\')[0])\r\n| extend AlgorithmType = \"SHA256\"\r\n Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:\r\nlet lookback = 7d;\r\nlet ioc_domains = dynamic([\"slgndocline.onlxtg.com \", \"cronoze.com \", \"muuxxu.com \", \"proliforetka.com \",\r\n\"porelinofigoventa.com \", \"shareddocumentso365cloudauthstorage.com\", \"newsbloger1.duckdns.org\"]);\r\n_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains)\r\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by\r\nSrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\r\nIn addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this\r\nblog.\r\n Phishing link click observed in Network Traffic\r\n Email Link Execution with Alert Correlation\r\nIndicators of compromise\r\nBruteRatel C4 and Lactrodectus infection chain\r\nIndicator Type Description\r\n9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e\r\nSHA-256\r\nlrs_Verification_Form_1730.pdf\r\n0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a\r\nSHA-256\r\nIrs_verif_form_2025_214859.js\r\n4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec\r\nSHA-256\r\nbars.msi\r\na1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727\r\nSHA-256\r\nBRc4, filename: nvidiamast.dll\r\nhxxp://rebrand[.]ly/243eaa\r\nDomain\r\nname\r\nURL shortener to load fake\r\nDocuSign page\r\nslgndocline.onlxtg[.]com\r\nDomain\r\nname\r\nDomain used to host fake\r\nDocuSign page\r\ncronoze[.]com\r\nDomain\r\nname\r\nBRc4 C2\r\nmuuxxu[.]com\r\nDomain\r\nname\r\nBRc4 C2\r\nproliforetka[.]com\r\nDomain\r\nname\r\nLatrodectus C2\r\nporelinofigoventa[.]com\r\nDomain\r\nname\r\nLatrodectus C2\r\nhxxp://slgndocline.onlxtg[.]com/87300038978/ URL Fake DocuSign URL\r\nhxxps://rosenbaum[.]live/bars.php URL JavaScript downloading MSI\r\nRaccoonO365\r\nIndicator Type Description\r\nshareddocumentso365cloudauthstorage[.]com Domain name RaccoonO365 domain\r\nAHKBot\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 8 of 9\n\nIndicator Type Description\r\na31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7\r\nSHA-256\r\nTax_Refund_Eligibility_Document.xlsm\r\n165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5\r\nSHA-256\r\numbrella.msi\r\n3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960\r\nSHA-256\r\nAutoNotify.ahk\r\n9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc\r\nSHA-256\r\nAHKBot Screenshotter module\r\nhxxps://business.google[.]com/website_shared/launch_bw.html?\r\nf=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsm\r\nURL\r\nURL redirecting to URL hosting\r\nmalicious Excel file\r\nhxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsm URL URL hosting malicious Excel file\r\nhxxps://acusense[.]ae/umbrella/ URL\r\nURL in macro that hosted the\r\nmalicious MSI file\r\n181.49.105[.]59\r\nIP\r\naddress\r\nAHKBot C2\r\nRemcos\r\nIndicator Type Description\r\nbb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a\r\nSHA-256\r\n2024 Tax\r\nDocument_Copy\r\n(1).pdf\r\nfe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422\r\nSHA-2562024 Tax\r\nDocument.zip\r\nhxxps://www.dropbox[.]com/scl/fi/ox2fv884k4mhzv05lf4g1/2024-Tax-Document.zip?rlkey=fjtynsx5c5ow59l4zc1nsslfi\u0026st=gvfamzw3\u0026dl=1\r\nURL URL in PDF\r\nnewsbloger1.duckdns[.]org\r\nDomain\r\nname\r\nRemcos C2\r\nReferences\r\nhttps://www.morado.io/blog-posts/understanding-raccoono365-phishing-as-a-service\r\nhttps://www.irs.gov/privacy-disclosure/report-phishing\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://x.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], "report_names": [ "3" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "7e7782b0-8b0b-4e92-b58a-c696b6d70ea1", "created_at": "2025-05-29T02:00:03.18524Z", "updated_at": "2026-04-10T02:00:03.843199Z", "deleted_at": null, "main_name": "Storm-0249", "aliases": [ "DEV-0249" ], "source_name": "MISPGALAXY:Storm-0249", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a54bd1f27399a269ee64d956c942f5beec1a9c6b.pdf", "text": "https://archive.orkl.eu/a54bd1f27399a269ee64d956c942f5beec1a9c6b.txt", "img": "https://archive.orkl.eu/a54bd1f27399a269ee64d956c942f5beec1a9c6b.jpg" } }