{ "id": "e1fd8c8c-88fd-435d-acfe-a0495fbcfd73", "created_at": "2026-04-06T00:10:01.19056Z", "updated_at": "2026-04-10T03:33:29.015868Z", "deleted_at": null, "sha1_hash": "cf39841a7e67a1b25b100281cdb55651a84d517d", "title": "Smoke Sandstorm: Nation State Actors | Security Insider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 27953, "plain_text": "Smoke Sandstorm: Nation State Actors | Security Insider\r\nArchived: 2026-04-05 22:28:23 UTC\r\nSmoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT\r\nintegration company in September 2021. This company works on IT integration with Bahrain Government clients,\r\nwho were likely Smoke Sandstorm’s ultimate target. Smoke Sandstorm also compromised various accounts at a\r\npartially government-owned organization in the Middle East that provides information and communications\r\ntechnology to the defense and transportation sectors, which are targets of interest to the Iranian regime. In May of\r\n2022, Microsoft took legal action to disrupt spear phishing operations linked to Smoke Sandstorm.\r\nSource: https://www.microsoft.com/en-us/security/security-insider/smoke-sandstorm\r\nhttps://www.microsoft.com/en-us/security/security-insider/smoke-sandstorm\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/security-insider/smoke-sandstorm" ], "report_names": [ "smoke-sandstorm" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775792009, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf39841a7e67a1b25b100281cdb55651a84d517d.pdf", "text": "https://archive.orkl.eu/cf39841a7e67a1b25b100281cdb55651a84d517d.txt", "img": "https://archive.orkl.eu/cf39841a7e67a1b25b100281cdb55651a84d517d.jpg" } }