{ "id": "de882533-c202-425d-bb81-8feb9da06750", "created_at": "2026-04-06T00:09:31.397292Z", "updated_at": "2026-04-10T03:33:22.62378Z", "deleted_at": null, "sha1_hash": "c3c5896ab5325d54c53bc6efb763eef8ea61ee4b", "title": "Microsoft Storm-1152 Crackdown: Stopping Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62244, "plain_text": "Microsoft Storm-1152 Crackdown: Stopping Threat Actors\r\nBy Wajahat Raja\r\nPublished: 2023-12-29 · Archived: 2026-04-05 18:43:53 UTC\r\nIn a significant stride against cybercrime, Microsoft has declared victory in dismantling cybercrime operations of\r\nStorm-1152. This group, a major player in the cybercrime-as-a-service (CaaS) ecosystem, was involved in selling\r\naccess to fraudulent Outlook accounts, impacting Microsoft and its users. This blog explores the details of this\r\nMicrosoft Storm-1152 Crackdown and the potential implications for the broader cybersecurity landscape.\r\nMicrosoft Storm-1152 Crackdown\r\nMicrosoft’s investigation revealed that Storm-1152, tracked as a key player in the CaaS landscape, operated by\r\ncreating approximately 750 million fraudulent Microsoft accounts through its “hotmailbox.me” service. The illicit\r\nearnings amounted to millions of dollars, causing substantial damage to Microsoft. \r\nThe group specialized in using Internet ‘bots’ to deceive Microsoft’s security systems, opening Outlook email\r\naccounts in fictitious usernames, and then selling these fraudulent accounts to cybercriminals. However, Microsoft\r\nhas employed advanced strategies for combating cyber threats, leveraging cutting-edge technology to ensure a\r\nsecure digital environment for users worldwide.\r\nThe Role Of CAPTCHA Solvers\r\nBeyond fraudulent accounts, Storm-1152 offered rate solver services for CAPTCHAs, such as “1stCAPTCHA,”\r\n“AnyCAPTCHA,” and “NoneCAPTCHA.” These services were marketed as tools to bypass any type of\r\nCAPTCHA, enabling fraudsters to exploit Microsoft’s online environments and those of other enterprises.\r\nConnections To Ransomware And Extortion\r\nMicrosoft identified several ransomware and extortion groups leveraging Storm-1152’s services, including the\r\nnotorious Scattered Spider (Octo Tempest) group. Scattered Spider, previously linked to attacks on Okta and the\r\nMGM Resorts breach, was found to be connected to massive ransomware attacks against flagship Microsoft\r\ncustomers. These attacks resulted in service disruptions, inflicting hundreds of millions of dollars in damage.\r\nMicrosoft’s Swift Response\r\nhttps://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/\r\nPage 1 of 3\n\nOn December 7, Microsoft obtained a court order from the Southern District of New York, allowing it to seize\r\nStorm-1152’s U.S.-based infrastructure and domains. This included the shutdown of “hotmailbox.me” and\r\ndisruption of services like for CAPTCHAs mentioned before. Additionally, Microsoft targeted social media\r\naccounts used by Storm-1152 for promoting its illicit services. The effectiveness of Microsoft’s cyber threat\r\nresponse has no doubt ensured robust security measures against evolving online threats.\r\nIdentifying The Culprits\r\nMicrosoft, in a decisive move, identified the individuals behind Storm-1152’s operations. Duong Dinh Tu, Linh\r\nVan Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen were named as the perpetrators, and they are\r\nbased in Vietnam. By revealing the faces behind the cybercrime network takedown, Microsoft aims to deter\r\ncriminal behavior and raise the cost of doing business for cybercriminals.\r\nMicrosoft And Law Enforcement Collaboration\r\nArkose Labs, a San Francisco-based cybersecurity company, played a crucial role in assisting Microsoft during the\r\ntakedown. Kevin Gosschalk, the founder and CEO of Arkose Labs, highlighted Storm-1152’s unique approach of\r\noperating as an internet-going concern, openly providing training and customer support for its tools.\r\nIndustry Experts On Microsoft Storm-1152 Crackdown\r\nCraig Jones, Vice President of Security Operations at Ontinue, acknowledges the significance of Microsoft’s\r\naction against Storm-1152. However, he emphasizes the nuanced nature of its long-term effectiveness. While\r\ndisrupting current operations is a notable achievement, the adaptability and resilience of cybercrime groups pose\r\nongoing challenges.\r\nHacking Group Targeted By Microsoft\r\nJones points out that the fight against cybercrime demands persistent and collaborative efforts across the digital\r\necosystem. The impact of the Microsoft Storm-1152 crackdown relies on the sharing of information and\r\ncoordinated efforts among tech companies, law enforcement, and intelligence agencies.\r\nThe fight against cybercrime requires continuous vigilance and collaborative efforts to stay ahead of evolving\r\nthreats. Microsoft’s actions serve as a reminder of the ongoing battle to protect customers and online users from\r\nhttps://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/\r\nPage 2 of 3\n\nthe ever-changing global cybersecurity efforts.\r\nConclusion\r\nMicrosoft’s successful takedown of Storm-1152 marks a significant victory in the fight against cybercrime. While\r\nthe impact of legal actions against cybercrime is evident, the long-term effectiveness depends on sustained efforts\r\nand collaboration within the cybersecurity community. As we celebrate this win, it serves as a poignant reminder\r\nthat the battle against cyber threats is ongoing, requiring vigilance and proactive measures, adaptability, and a\r\nunited front from industry players, law enforcement, and cybersecurity experts.\r\nThe sources for this piece include articles in The Hacker News and TechCrunch. \r\nThe post Microsoft Storm-1152 Crackdown: Stopping Threat Actors appeared first on TuxCare.\r\nSource: https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/\r\nhttps://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/" ], "report_names": [ "microsoft-storm-1152-crackdown-stopping-threat-actors" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "ead52dab-d2cb-44f4-a67a-56ffbc347b7e", "created_at": "2024-02-02T02:00:04.084899Z", "updated_at": "2026-04-10T02:00:03.560106Z", "deleted_at": null, "main_name": "Storm-1152", "aliases": [], "source_name": "MISPGALAXY:Storm-1152", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3c5896ab5325d54c53bc6efb763eef8ea61ee4b.pdf", "text": "https://archive.orkl.eu/c3c5896ab5325d54c53bc6efb763eef8ea61ee4b.txt", "img": "https://archive.orkl.eu/c3c5896ab5325d54c53bc6efb763eef8ea61ee4b.jpg" } }