{ "id": "45e9c01e-152e-4bdd-8d40-f16e226f9d05", "created_at": "2026-04-06T00:07:48.529985Z", "updated_at": "2026-04-10T13:12:47.793836Z", "deleted_at": null, "sha1_hash": "b3d93239ecb929ff41c4ce797d89fe65af9cb420", "title": "Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 526758, "plain_text": "Analysis of Storm-0558 techniques for unauthorized email access |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-07-14 · Archived: 2026-04-02 10:48:32 UTC\r\nExecutive summary\r\nOn July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as\r\nStorm-0558 that targeted customer email that we’ve detected and mitigated: Microsoft Security Response Center\r\nand Microsoft on the Issues. As we continue our investigation into this incident and deploy defense in depth\r\nmeasures to harden all systems involved, we’re providing this deeper analysis of the observed actor techniques for\r\nobtaining unauthorized access to email data, tools, and unique infrastructure characteristics.\r\nSeptember 6, 2023 update – Microsoft has completed a comprehensive technical investigation into Storm-0558’s\r\nacquisition of the Microsoft account consumer signing key. Investigation findings are released on the Microsoft\r\nSecurity Response Center blog: Results of major technical investigations for Storm-0558 key acquisition. \r\nAugust 2024 update – Microsoft now tracks Storm-0558 as Antique Typhoon.\r\nAs described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage\r\nobjectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from\r\napproximately 25 organizations, including government agencies and related consumer accounts in the public\r\ncloud. No other environment was impacted. Microsoft has successfully blocked this campaign from Storm-0558.\r\nAs with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised\r\ncustomers, providing them with important information needed to secure their environments.\r\nSince identification of this malicious campaign on June 16, 2023, Microsoft has identified the root cause,\r\nestablished durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified\r\nevery impacted customer, and coordinated with multiple government entities. We continue to investigate and\r\nmonitor the situation and will take additional steps to protect customers.\r\nActor overview\r\nMicrosoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor\r\nwith activities and methods consistent with espionage objectives. While we have discovered some minimal\r\noverlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence\r\nthat Storm-0558 operates as its own distinct group.\r\nFigure 1 shows Storm-0558 working patterns from April to July 2023; the actor’s core working hours are\r\nconsistent with working hours in China, Monday through Friday from 12:00 AM UTC (8:00 AM China Standard\r\ntime) through 09:00 AM UTC (5:00 PM China Standard Time).\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 1 of 11\n\nFigure 1. Heatmap of observed Storm-0558 activity by day of week and hour (UTC).\r\nIn past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic,\r\nand legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. \r\nHistorically, this threat actor has displayed an interest in targeting media companies, think tanks, and\r\ntelecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain\r\nunauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this\r\nobjective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has\r\ndisplayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least\r\nAugust 2021. Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors\r\nare keenly aware of the target’s environment, logging policies, authentication requirements, policies, and\r\nprocedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well\r\nresourced, and has an in-depth understanding of many authentication techniques and applications.\r\nIn the past, Microsoft has observed Storm-0558 obtain credentials for initial access through phishing campaigns.\r\nThe actor has also exploited vulnerabilities in public-facing applications to gain initial access to victim networks.\r\nThese exploits typically result in web shells, including China Chopper, being deployed on compromised servers.\r\nOne of the most prevalent malware families used by Storm-0558 is a shared tool tracked by Microsoft as Cigril.\r\nThis family exists in several variants and is launched using dynamic-link library (DLL) search order hijacking.\r\nAfter gaining access to a compromised system, Storm-0558 accesses credentials from a variety of sources,\r\nincluding the LSASS process memory and Security Account Manager (SAM) registry hive. Microsoft assesses that\r\nonce Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud\r\nemail account with the valid account credentials. The actor then collects information from the email account over\r\nthe web service.\r\nInitial discovery and analysis of current activity\r\nOn June 16, 2023, Microsoft was notified by a customer of anomalous Exchange Online data access. Microsoft\r\nanalysis attributed the activity to Storm-0558 based on established prior TTPs. We determined that Storm-0558\r\nwas accessing the customer’s Exchange Online data using Outlook Web Access (OWA). Microsoft’s investigative\r\nworkflow initially assumed the actor was stealing correctly issued Azure Active Directory (Azure AD) tokens,\r\nmost probably using malware on infected customer devices. Microsoft analysts later determined that the actor’s\r\naccess was utilizing Exchange Online authentication artifacts, which are typically derived from Azure AD\r\nauthentication tokens (Azure AD tokens). Further in-depth analysis over the next several days led Microsoft\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 2 of 11\n\nanalysts to assess that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens\r\nin Microsoft logs.\r\nMicrosoft analysts began investigating the possibility that the actor was forging authentication tokens using an\r\nacquired Azure AD enterprise signing key. In-depth analysis of the Exchange Online activity discovered that in\r\nfact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key.\r\nThis was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests\r\nallowed our investigation teams to see all actor access requests which followed this pattern across both our\r\nenterprise and consumer systems. Use of the incorrect key to sign this scope of assertions was an obvious indicator\r\nof the actor activity as no Microsoft system signs tokens in this way. Use of acquired signing material to forge\r\nauthentication tokens to access customer Exchange Online data differs from previously observed Storm-0558\r\nactivity. Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft\r\nhas taken steps to block related abuse.\r\nActor techniques\r\nToken forgery\r\nAuthentication tokens are used to validate the identity of entities requesting access to resources – in this case,\r\nemail. These tokens are issued to the requesting entity (such as a user’s browser) by identity providers like Azure\r\nAD. To prove authenticity, the identity provider signs the token using a private signing key. The relying party\r\nvalidates the token presented by the requesting entity by using a public validation key. Any request whose\r\nsignature is correctly validated by the published public validation key will be trusted by the relying party. An actor\r\nthat can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by\r\nrelying parties. This is called token forgery.\r\nStorm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure\r\nAD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident –\r\nincluding the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The\r\nmethod by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended\r\nonly for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue\r\nhas been corrected.\r\nAs part of defense in depth, we continuously update our systems. We have substantially hardened key issuance\r\nsystems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined\r\nmonitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have\r\nrevoked all previously active keys and issued new keys using these updated systems. Our active investigation\r\nindicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used\r\nto acquire MSA signing keys. No key-related actor activity has been observed since Microsoft invalidated the\r\nactor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates\r\nthat the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have\r\nbeen acquired and add additional defense in depth measures.\r\nIdentity techniques for access\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 3 of 11\n\nOnce authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA\r\nAPI to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor\r\nwas able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This\r\nflaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or\r\nMSA respectively. The actor used these tokens to retrieve mail messages from the OWA API. \r\nMicrosoft Threat Intelligence routinely identifies threat actor capabilities and leverages file intelligence to\r\nfacilitate our protection of Microsoft customers. During this investigation, we identified several distinct Storm-0558 capabilities that facilitate the threat actor’s intrusion techniques. The capabilities described in this section are\r\nnot expected to be present in the victim environment.\r\nStorm-0558 uses a collection of PowerShell and Python scripts to perform REST API calls against the OWA\r\nExchange Store service. For example, Storm-0558 has the capability to use minted access tokens to extract email\r\ndata such as:\r\nDownload emails\r\nDownload attachments\r\nLocate and download conversations\r\nGet email folder information\r\nThe generated web requests can be routed through a Tor proxy or several hardcoded SOCKS5 proxy servers. The\r\nthreat actor was observed using several User-Agents when issuing web requests, for example:\r\nClient=REST;Client=RESTSystem;;\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/92.0.4515.159 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52\r\n“Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″\r\nThe scripts contain highly sensitive hardcoded information such as bearer access tokens and email data, which the\r\nthreat actor uses to perform the OWA API calls. The threat actor has the capability to refresh the access token for\r\nuse in subsequent OWA commands.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 4 of 11\n\nFigure 2. Python code snippet of the token refresh functionality used by the threat actor.\r\nFigure 3. PowerShell code snippet of OWA REST API call to GetConversationItems.\r\nActor infrastructure\r\nDuring significant portions of Storm-0558’s malicious activities, the threat actor leveraged dedicated infrastructure\r\nrunning the SoftEther proxy software. Proxy infrastructure complicates detection and attribution of Storm-0558\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 5 of 11\n\nactivities. During our response, Microsoft Threat Intelligence identified a unique method of profiling this proxy\r\ninfrastructure and correlated with behavioral characteristics of the actor intrusion techniques. Our profile was\r\nbased on the following facets:\r\n1. Hosts operating as part of this network present a JARM fingerprint consistent with SoftEther VPN:\r\n06d06d07d06d06d06c42d42d000000cdb95e27fd8f9fee4a2bec829b889b8b.\r\n2. Presented x509 certificate has expiration date of December 31, 2037.\r\n3. Subject information within the x509 certificate does not contain “softether”.\r\nOver the course of the campaign, the IPs listed in the table below were used during the corresponding timeframes.\r\nIP address First seen Last seen Description\r\n51.89.156[.]153 3/9/2023 7/10/2023 SoftEther proxy\r\n176.31.90[.]129 3/28/2023 6/29/2023 SoftEther proxy\r\n137.74.181[.]100 3/31/2023 7/11/2023 SoftEther proxy\r\n193.36.119[.]45 4/19/2023 7/7/2023 SoftEther proxy\r\n185.158.248[.]159 4/24/2023 7/6/2023 SoftEther proxy\r\n131.153.78[.]188 5/6/2023 6/29/2023 SoftEther proxy\r\n37.143.130[.]146 5/12/2023 5/19/2023 SoftEther proxy\r\n146.70.157[.]45 5/12/2023 6/8/2023 SoftEther proxy\r\n185.195.200[.]39 5/15/2023 6/29/2023 SoftEther proxy\r\n185.38.142[.]229 5/15/2023 7/12/2023 SoftEther proxy\r\n146.70.121[.]44 5/17/2023 6/29/2023 SoftEther proxy\r\n31.42.177[.]181 5/22/2023 5/23/2023 SoftEther proxy\r\n185.51.134[.]52 6/7/2023 7/11/2023 SoftEther proxy\r\n173.44.226[.]70 6/9/2023 7/11/2023 SoftEther proxy\r\n45.14.227[.]233 6/12/2023 6/26/2023 SoftEther proxy\r\n185.236.231[.]109 6/12/2023 7/3/2023 SoftEther proxy\r\n178.73.220[.]149 6/16/2023 7/12/2023 SoftEther proxy\r\n45.14.227[.]212 6/19/2023 6/29/2023 SoftEther proxy\r\n91.222.173[.]225 6/20/2023 7/1/2023 SoftEther proxy\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 6 of 11\n\n146.70.35[.]168 6/22/2023 6/29/2023 SoftEther proxy\r\n146.70.157[.]213 6/26/2023 6/30/2023 SoftEther proxy\r\n31.42.177[.]201 6/27/2023 6/29/2023 SoftEther proxy\r\n5.252.176[.]8 7/1/2023 7/1/2023 SoftEther proxy\r\n80.85.158[.]215 7/1/2023 7/9/2023 SoftEther proxy\r\n193.149.129[.]88 7/2/2023 7/12/2023 SoftEther proxy\r\n5.252.178[.]68 7/3/2023 7/11/2023 SoftEther proxy\r\n116.202.251[.]8 7/4/2023 7/7/2023 SoftEther proxy\r\n185.158.248[.]93 6/25/2023 06/26/2023 SoftEther proxy\r\n20.108.240[.]252 6/25/2023 7/5/2023 SoftEther proxy\r\n146.70.135[.]182 5/18/2023 6/22/2023 SoftEther proxy\r\nAs early as May 15, 2023, Storm-0558 shifted to using a separate series of dedicated infrastructure servers\r\nspecifically for token replay and interaction with Microsoft services. It is likely that the dedicated infrastructure\r\nand supporting services configured on this infrastructure offered a more efficient manner of facilitating the actor’s\r\nactivities. The dedicated infrastructure would host an actor-developed web panel that presented an authentication\r\npage at URI /#/login. The observed sign-in pages had one of two SHA-1 hashes:\r\n80d315c21fc13365bba5b4d56357136e84ecb2d4 and 931e27b6f1a99edb96860f840eb7ef201f6c68ec.\r\nFigure 4. Token web panel sign-in page with SHA-1 hashes.\r\nAs part of the intelligence-driven response to this campaign, and in support of tracking, analyzing, and disrupting\r\nactor activity, analytics were developed to proactively track the dedicated infrastructure. Through this tracking, we\r\nidentified the following dedicated infrastructure.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 7 of 11\n\nIP address First seen Last seen Description\r\n195.26.87[.]219 5/15/2023 6/25/2023 Token web panel\r\n185.236.228[.]183 5/24/2023 6/11/2023 Token web panel\r\n85.239.63[.]160 6/7/2023 6/11/2023 Token web panel\r\n193.105.134[.]58 6/24/2023 6/25/2023 Token web panel\r\n146.0.74[.]16 6/28/2023 7/4/2023 Token web panel\r\n91.231.186[.]226 6/29/2023 7/4/2023 Token web panel\r\n91.222.174[.]41 6/29/2023 7/3/2023 Token web panel\r\n185.38.142[.]249 6/29/2023 7/2/2023 Token web panel\r\nThe last observed dedicated token replay infrastructure associated with this activity was stood down on July 4,\r\n2023, roughly one day following the coordinated mitigation conducted by Microsoft. \r\nPost-compromise activity\r\nOur telemetry and investigations indicate that post-compromise activity was limited to email access and\r\nexfiltration for targeted users.\r\nMitigation and hardening\r\nNo customer action is required to mitigate the token forgery technique or validation error in OWA or Outlook.com.\r\nMicrosoft has mitigated this issue on customers’ behalf as follows:\r\nOn June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which\r\nmitigated the token renewal being abused.\r\nOn June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing\r\nfurther threat actor enterprise mail activity.\r\nOn June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge\r\ntokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit\r\nfrom hardening not present at issuance of the actor-acquired MSA key:\r\nMicrosoft has increased the isolation of these systems from corporate environments, applications,\r\nand users.Microsoft has refined monitoring of all systems related to key activity, and increased\r\nautomated alerting related to this monitoring.\r\nMicrosoft has moved the MSA signing keys to the key store used for our enterprise systems.\r\nOn July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of\r\npreviously-issued tokens.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 8 of 11\n\nOngoing monitoring indicates that all actor activity related to this incident has been blocked. Microsoft will\r\ncontinue to monitor Storm-0558 activity and implement protections for our customers.\r\nRecommendations\r\nMicrosoft has mitigated this activity on our customers’ behalf for Microsoft services. No customer action is\r\nrequired to prevent threat actors from using the techniques described above to access Exchange Online and\r\nOutlook.com.\r\nIndicators of compromise\r\nIndicator Type\r\nFirst\r\nseen\r\nLast seen Description\r\nd4b4cccda9228624656bff33d8110955779632aa Thumbprint    \r\nThumbprint\r\nof acquired\r\nsigning key\r\n195.26.87[.]219 IPv4 5/15/2023 6/25/2023\r\nToken web\r\npanel\r\n185.236.228[.]183 IPv4 5/24/2023 6/11/2023\r\nToken web\r\npanel\r\n85.239.63[.]160 IPv4 6/7/2023 6/11/2023\r\nToken web\r\npanel\r\n193.105.134[.]58 IPv4 6/24/2023 6/25/2023\r\nToken web\r\npanel\r\n146.0.74[.]16 IPv4 6/28/2023 7/4/2023\r\nToken web\r\npanel\r\n91.231.186[.]226 IPv4 6/29/2023 7/4/2023\r\nToken web\r\npanel\r\n91.222.174[.]41 IPv4 6/29/2023 7/3/2023\r\nToken web\r\npanel\r\n185.38.142[.]249 IPv4 6/29/2023 7/2/2023\r\nToken web\r\npanel\r\n51.89.156[.]153 IPv4 3/9/2023 7/10/2023\r\nSoftEther\r\nproxy\r\n176.31.90[.]129 IPv4 3/28/2023 6/29/2023\r\nSoftEther\r\nproxy\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 9 of 11\n\n137.74.181[.]100 IPv4 3/31/2023 7/11/2023\r\nSoftEther\r\nproxy\r\n193.36.119[.]45 IPv4 4/19/2023 7/7/2023\r\nSoftEther\r\nproxy\r\n185.158.248[.]159 IPv4 4/24/2023 7/6/2023\r\nSoftEther\r\nproxy\r\n131.153.78[.]188 IPv4 5/6/2023 6/29/2023\r\nSoftEther\r\nproxy\r\n37.143.130[.]146 IPv4 5/12/2023 5/19/2023\r\nSoftEther\r\nproxy\r\n146.70.157[.]45 IPv4 5/12/2023 6/8/2023\r\nSoftEther\r\nproxy\r\n185.195.200[.]39 IPv4 5/15/2023 6/29/2023\r\nSoftEther\r\nproxy\r\n185.38.142[.]229 IPv4 5/15/2023 7/12/2023\r\nSoftEther\r\nproxy\r\n146.70.121[.]44 IPv4 5/17/2023 6/29/2023\r\nSoftEther\r\nproxy\r\n31.42.177[.]181 IPv4 5/22/2023 5/23/2023\r\nSoftEther\r\nproxy\r\n185.51.134[.]52 IPv4 6/7/2023 7/11/2023\r\nSoftEther\r\nproxy\r\n173.44.226[.]70 IPv4 6/9/2023 7/11/2023\r\nSoftEther\r\nproxy\r\n45.14.227[.]233 IPv4 6/12/2023 6/26/2023\r\nSoftEther\r\nproxy\r\n185.236.231[.]109 IPv4 6/12/2023 7/3/2023\r\nSoftEther\r\nproxy\r\n178.73.220[.]149 IPv4 6/16/2023 7/12/2023\r\nSoftEther\r\nproxy\r\n45.14.227[.]212 IPv4 6/19/2023 6/29/2023\r\nSoftEther\r\nproxy\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 10 of 11\n\n91.222.173[.]225 IPv4 6/20/2023 7/1/2023\r\nSoftEther\r\nproxy\r\n146.70.35[.]168 IPv4 6/22/2023 6/29/2023\r\nSoftEther\r\nproxy\r\n146.70.157[.]213 IPv4 6/26/2023 6/30/2023\r\nSoftEther\r\nproxy\r\n31.42.177[.]201 IPv4 6/27/2023 6/29/2023\r\nSoftEther\r\nproxy\r\n5.252.176[.]8 IPv4 7/1/2023 7/1/2023\r\nSoftEther\r\nproxy\r\n80.85.158[.]215 IPv4 7/1/2023 7/9/2023\r\nSoftEther\r\nproxy\r\n193.149.129[.]88 IPv4 7/2/2023 7/12/2023\r\nSoftEther\r\nproxy\r\n5.252.178[.]68 IPv4 7/3/2023 7/11/2023\r\nSoftEther\r\nproxy\r\n116.202.251[.]8 IPv4 7/4/2023 7/7/2023\r\nSoftEther\r\nproxy\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at\r\nhttps://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" ], "report_names": [ "analysis-of-storm-0558-techniques-for-unauthorized-email-access" ], "threat_actors": [ { "id": "86fb4ddd-989e-4613-8db8-ca646c553aae", "created_at": "2023-11-01T02:00:07.404201Z", "updated_at": "2026-04-10T02:00:03.381034Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [], "source_name": "MISPGALAXY:Storm-0558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c762729-56f7-48d5-8fb0-b64a43716319", "created_at": "2023-09-07T02:02:47.944899Z", "updated_at": "2026-04-10T02:00:04.907587Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [ "Antique Typhoon" ], "source_name": "ETDA:Storm-0558", "tools": [ "CHINACHOPPER", "China Chopper", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434068, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3d93239ecb929ff41c4ce797d89fe65af9cb420.pdf", "text": "https://archive.orkl.eu/b3d93239ecb929ff41c4ce797d89fe65af9cb420.txt", "img": "https://archive.orkl.eu/b3d93239ecb929ff41c4ce797d89fe65af9cb420.jpg" } }