{ "id": "32e59f20-8f32-4872-9780-3e44ff9474e0", "created_at": "2026-04-06T00:11:00.750954Z", "updated_at": "2026-04-10T13:12:11.894426Z", "deleted_at": null, "sha1_hash": "df1109697af74948a23a2c83d6f4587d00b15903", "title": "Exposing POLONIUM activity and infrastructure targeting Israeli organizations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 577283, "plain_text": "Exposing POLONIUM activity and infrastructure targeting Israeli\r\norganizations | Microsoft Security Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2022-06-02 · Archived: 2026-04-05 13:01:33 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. POLONIUM is now tracked as Plaid Rain and MERCURY is now tracked as\r\nMango Sandstorm. The DEV-#### designations are now tracked under the name Storm-#### using the same\r\nfour-digit identifier. \r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nMicrosoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented\r\nLebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.  The\r\nassociated indicators and tactics were used by the OneDrive team to improve detection of attack activity and\r\ndisable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious\r\nOneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of\r\nsecurity intelligence updates that will quarantine tools developed by POLONIUM operators. Our goal with this\r\nblog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.\r\nMSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We\r\nalso assess with moderate confidence that the observed activity was coordinated with other actors affiliated with\r\nIran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools\r\nand techniques. Such collaboration or direction from Tehran would align with a string of revelations since late\r\n2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to\r\nenhance Iran’s plausible deniability.\r\nPOLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental\r\norganization with operations in Lebanon over the past three months. This actor has deployed unique tools that\r\nabuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was\r\nobserved creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of\r\ntheir attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive\r\nplatform. In addition, MSTIC does not, at present, see any links between this activity and other publicly\r\ndocumented groups linked to Lebanon like Volatile Cedar. This blog will also expose further details that show\r\nIranian threat actors may be collaborating with proxies to operationalize their attacks. Microsoft continues to work\r\nacross its platforms to identify abuse, take down malicious activity, and implement new proactive protections to\r\ndiscourage malicious actors from using our services.\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 1 of 12\n\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts.\r\nObserved actor activity\r\nSince February 2022, POLONIUM has been observed primarily targeting organizations in Israel with a focus on\r\ncritical manufacturing, IT, and Israel’s defense industry. In at least one case, POLONIUM’s compromise of an IT\r\ncompany was used to target a downstream aviation company and law firm in a supply chain attack that relied on\r\nservice provider credentials to gain access to the targeted networks. Multiple manufacturing companies they\r\ntargeted also serve Israel’s defense industry, indicating a POLONIUM tactic that follows an increasing trend by\r\nmany actors, including among several Iranian groups, of targeting service provider access to gain downstream\r\naccess. Observed victim organizations were in the following sectors: critical manufacturing, information\r\ntechnology, transportation systems, defense industrial base, government agencies and services, food and\r\nagriculture, financial services, healthcare and public health, and other business types.\r\nPOLONIUM TTPs shared with Iran-based nation-state actors\r\nMSTIC assesses with moderate confidence that POLONIUM is coordinating its operations with multiple tracked\r\nactor groups affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and the\r\nfollowing common techniques and tooling:\r\nCommon unique victim targeting: MSTIC has observed POLONIUM active on or targeting multiple\r\nvictims that MERCURY previously compromised. According to the US Cyber Command, MuddyWater, a\r\ngroup we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and\r\nSecurity.”\r\nEvidence of possible “hand-off” operations: The uniqueness of the victim organizations suggests a\r\nconvergence of mission requirements with MOIS. It may also be evidence of a ‘hand-off’ operational\r\nmodel where MOIS provides POLONIUM with access to previously compromised victim environments to\r\nexecute new activity. MSTIC continues to monitor both actors to further verify this ‘hand-off’ hypothesis.\r\nUse of OneDrive for C2:  MSTIC has observed both POLONIUM and DEV-0133 (aka Lyceum) using\r\ncloud services, including OneDrive, for data exfiltration and command and control.\r\nUse of AirVPN: Both POLONIUM and DEV-0588 (aka CopyKittens) commonly use AirVPN for\r\noperational activity. While use of public VPN services is common across many actor sets, these actors’\r\nspecific choice to use AirVPN, combined with the additional overlaps documented above, further supports\r\nthe moderate confidence assessment that POLONIUM collaborates with MOIS.\r\nAbuse of cloud services\r\nPOLONIUM has been observed deploying a series of custom implants that utilize cloud services for command\r\nand control as well as data exfiltration. MSTIC has observed implants connecting to POLONIUM-owned accounts\r\nin OneDrive and Dropbox. These tools are detected as the following malware:\r\nTrojan:PowerShell/CreepyDrive.A!dha\r\nTrojan:PowerShell/CreepyDrive.B!dha\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 2 of 12\n\nTrojan:PowerShell/CreepyDrive.C!dha\r\nTrojan:PowerShell/CreepyDrive.D!dha\r\nTrojan:PowerShell/CreepyDrive.E!dha\r\nTrojan:MSIL/CreepyBox.A!dha\r\nTrojan:MSIL/CreepyBox.B!dha\r\nTrojan:MSIL/CreepyBox.C!dha\r\nWhile OneDrive performs antivirus scanning on all uploaded content, POLONIUM is not using the cloud service\r\nto host their malware. If malware was hosted in the OneDrive account, Microsoft Defender Antivirus detections\r\nwould block it. Instead, they are interacting with the cloud service in the same way that a legitimate customer\r\nwould. OneDrive is partnering with MSTIC to identify and disable accounts that are linked to known adversary\r\nbehavior.\r\nCreepyDrive analysis\r\nThe CreepyDrive implant utilizes a POLONIUM-owned OneDrive storage account for command and control. The\r\nimplant provides basic functionality of allowing the threat actor to upload stolen files and download files to run.\r\nAll web requests by the CreepyDrive implant use the Invoke-WebRequest cmdlet. The implant’s logic is wrapped\r\nin a while true loop, ensuring continuous execution of the implant once running. The implant contains no native\r\npersistence mechanism; if terminated it would need to be re-executed by the threat actor.\r\nDue to the lack of victim identifiers in the CreepyDrive implant, using the same OneDrive account for multiple\r\nvictims, while possible, may be challenging. It’s likely that a different threat actor-controlled OneDrive account is\r\nused per implant.\r\nGetting an OAuth token\r\nWhen run, the implant first needs to authenticate with OneDrive. The threat actor incorporated a refresh token\r\nwithin the implant. Refresh tokens are part of the Open Authorization 2 (OAuth) specification, allowing a new\r\nOAuth token to be issued when it expires. There are several mechanisms that make token theft difficult, including\r\nthe use of the trusted platform module (TPM) to protect secrets. More information on these mechanisms can be\r\nfound here.\r\nIn this instance, the protection settings tied to the OneDrive account are fully controlled by the threat actor,\r\nallowing them to disable protections that prevent the theft of the token and client secrets. As the threat actor is in\r\nfull control of all secrets and key material associated with the account, their sign-in activity looks like legitimate\r\ncustomer behavior and is thus challenging to detect.\r\nThis token and client secret are transmitted in the body of request to a legitimate Microsoft endpoint to generate\r\nan OAuth token:\r\nhttps[://]login.microsoftonline.com/consumers/oauth2/v2.0/token\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 3 of 12\n\nThis request provides the requisite OAuth token for the implant to interact with the threat actor-owned OneDrive\r\naccount. Using this OAuth token, the implant makes a request to the following Microsoft Graph API endpoint to\r\naccess the file data.txt:\r\nhttps[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\r\nThe file data.txt acts as the primary tasking mechanism for the implant, providing three branches of execution.\r\nUpload\r\nThe first branch is triggered when the word “upload” is provided in the response. This response payload also\r\ncontains two additional elements: a local file path to upload, and what is likely a threat actor-defined remote file\r\nname to upload the local file into. The request is structured as follows:\r\nhttps[://]graph.microsoft.com/v1.0/me/drive/root:/Uploaded/???:/content\r\nDownload\r\nThe second branch is triggered when the word “download” is provided in the response. This response payload\r\ncontains a file name to download from the threat actor-owned OneDrive account. The request is structured as\r\nfollows:\r\nhttps[://]graph.microsoft.com/v1.0/me/drive/root:/Downloaded/???:/content\r\nExecute\r\nThis branch is triggered when no command is provided in the response. The response payload can contain either\r\nan array of commands to execute or file paths to files previously downloaded by the implant. The threat actor can\r\nalso provide a mixture of individual commands and file paths.\r\nEach value from the array is passed individually into the below custom function, which uses the Invoke-Expression cmdlet to run commands:\r\nThe output of each executed command is aggregated and then written back to the following location in the threat\r\nactor-owned OneDrive account:\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 4 of 12\n\nhttps[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\r\nDuring the execution of this mechanism, the threat actor resets the content of the original tasking file data.txt with\r\nthe following request:\r\nhttps[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\r\nFinally, the CreepyDrive implant sleeps, re-executing in a loop until the process is terminated.\r\nUse of custom implant\r\nPOLONIUM has also been observed deploying a custom PowerShell implant detected as\r\nBackdoor:PowerShell/CreepySnail.B!dha. The C2s for observed CreepySnail implants include:\r\n135[.]125[.]147[.]170:80\r\n185[.]244[.]129[.]79:63047\r\n185[.]244[.]129[.]79:80\r\n45[.]80[.]149[.]108:63047\r\n45[.]80[.]149[.]108:80\r\n45[.]80[.]149[.]57:63047\r\n45[.]80[.]149[.]68:63047\r\n45[.]80[.]149[.]71:80\r\nThe code below demonstrates how the CreepySnail PowerShell implant, once deployed on a target network,\r\nattempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives,\r\nsuch as data exfiltration or further abuse as C2.\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 5 of 12\n\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 6 of 12\n\nUse of commodity tools\r\nPOLONIUM has also been observed dropping a secondary payload via their OneDrive implant. POLONIUM used\r\na common SSH tool for automating interactive sign-ins called plink to set up a redundant tunnel from the victim\r\nenvironment to the attacker-controlled infrastructure.\r\nThe observed C2 IP addresses for POLONIUM plink tunnels include:\r\n185[.]244[.]129 [.]109\r\n172[.]96[.]188[.]51\r\n51[.]83 [.]246 [.]73\r\nExploitation\r\nWhile we continue to pursue confirmation of how POLONIUM gained initial access to many of their victims,\r\nMSTIC notes that approximately 80% of the observed victims beaconing to graph.microsoft.com were running\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 7 of 12\n\nFortinet appliances. This suggests, but does not definitively prove, that POLONIUM compromised these Fortinet\r\ndevices by exploiting the CVE-2018-13379 vulnerability to gain access to the compromised organizations.\r\nIT supply chain attacks\r\nIn one case, POLONIUM compromised a cloud service provider based in Israel and likely used this access to\r\ncompromise downstream customers of the service provider. Specifically, MSTIC observed that POLONIUM\r\npivoted through the service provider and gained access to a law firm and an aviation company in Israel. The tactic\r\nof leveraging IT products and service providers to gain access to downstream customers remains a favorite of\r\nIranian actors and their proxies.\r\nMicrosoft will continue to monitor ongoing activity from POLONIUM and the other Iranian MOIS-affiliated\r\nactors discussed in this blog and implement protections for our customers. The current detections, advanced\r\ndetections, and IOCs in place across our security products are detailed below.\r\nRecommended customer actions\r\nThe techniques used by the actor described in the “Observed actor activity” section can be mitigated by adopting\r\nthe security considerations provided below:\r\nUse the included indicators of compromise to investigate whether they exist in your environment and\r\nassess for potential intrusion. Microsoft Sentinel queries are provided in the advanced hunting section\r\nbelow.\r\nConfirm that Microsoft Defender Antivirus is updated to security intelligence update 1.365.40.0 or later, or\r\nensure that cloud protection is turned on, to detect the related indicators.\r\nBlock in-bound traffic from IPs specified in the “Indicators of compromise” table.\r\nReview all authentication activity for remote access infrastructure (VPNs), with a particular focus on\r\naccounts configured with single factor authentication, to confirm authenticity and investigate any\r\nanomalous activity.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that\r\nMFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers\r\ndownload and use passwordless solutions like Microsoft Authenticator to secure your accounts.\r\nFor customers that have relationships with service providers, review and audit partner relationships to\r\nminimize any unnecessary permissions between your organization and upstream providers. Microsoft\r\nrecommends immediately removing access for any partner relationships that look unfamiliar or have not\r\nyet been audited.\r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and\r\nprevent future attacks against their systems.\r\nIndicator Type Description\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 8 of 12\n\n135[.]125[.]147[.]170:80\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n185[.]244[.]129[.]79:63047\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n185[.]244[.]129[.]79:80\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n45[.]80[.]149[.]108:63047\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n45[.]80[.]149[.]108:80\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n45[.]80[.]149[.]57:63047\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n45[.]80[.]149[.]68:63047\r\nIPv4\r\naddress\r\nC2  for POLONIUM CreepySnail\r\nimplant\r\n45[.]80[.]149[.]71:80\r\nIPv4\r\naddress\r\nC2 for POLONIUM CreepySnail\r\nimplant\r\n185[.]244[.]129[.]109\r\nIPv4\r\naddress\r\nC2 for POLONIUM plink tunnels\r\n172[.]96[.]188[.]51\r\nIPv4\r\naddress\r\nC2 for POLONIUM plink tunnels\r\n51[.]83[.]246[.]73\r\nIPv4\r\naddress\r\nC2 for POLONIUM plink tunnels\r\nTrojan:PowerShell/CreepyDrive.A!dha Tool Custom implant signature\r\nTrojan:PowerShell/CreepyDrive.B!dha Tool Custom implant signature\r\nTrojan:PowerShell/CreepyDrive.C!dha Tool Custom implant signature\r\nTrojan:PowerShell/CreepyDrive.D!dha Tool Custom implant signature\r\nTrojan:PowerShell/CreepyDrive.E!dha Tool Custom implant signature\r\nTrojan:MSIL/CreepyBox.A!dha Tool Custom implant signature\r\nTrojan:MSIL/CreepyBox.B!dha Tool Custom implant signature\r\nTrojan:MSIL/CreepyBox.C!dha Tool Custom implant signature\r\nTrojan:MSIL/CreepyRing.A!dha Tool Custom implant signature\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 9 of 12\n\nTrojan:MSIL/CreepyWink.B!dha Tool Custom implant signature\r\nBackdoor:PowerShell/CreepySnail.B!dha Tool Custom implant signature\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the malware tools and implants used by POLONIUM starting from signature\r\nbuild 1.365.40.0 as the following:\r\nTrojan:PowerShell/CreepyDrive.A!dha\r\nTrojan:PowerShell/CreepyDrive.B!dha\r\nTrojan:PowerShell/CreepyDrive.C!dha\r\nTrojan:PowerShell/CreepyDrive.D!dha\r\nTrojan:PowerShell/CreepyDrive.E!dha\r\nTrojan:MSIL/CreepyBox.A!dha\r\nTrojan:MSIL/CreepyBox.B!dha\r\nTrojan:MSIL/CreepyBox.C!dha\r\nTrojan:MSIL/CreepyRing.A!dha\r\nTrojan:MSIL/CreepyWink.B!dha\r\nBackdoor:PowerShell/CreepySnail.B!dha\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication\r\nof possible attack. These alerts are not necessarily an indication of POLONIUM compromise:\r\nPOLONIUM Actor Activity Detected\r\nPowerShell made a suspicious network connection\r\nSuspicious behavior by powershell.exe was observed\r\nHidden dual-use tool launch attempt\r\nOutbound connection to non-standard port\r\nMicrosoft Defender for Cloud Apps\r\nThe OAuth apps that were created in the victim tenants were created with only two specific scope of permissions:\r\noffline_access and Files.ReadWrite.All. These applications were set to serve multi-tenant and performed only\r\nOneDrive operations. Applications accessed OneDrive workload via the Graph API, where most calls to the API\r\nfrom the application were made as search activities, with a few edit operations also observed.\r\nApp made numerous searches and edits in OneDrive\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 10 of 12\n\nApp governance, an add-on to Microsoft Defender for Cloud Apps, detects malicious OAuth applications that\r\nmake numerous searches and edits in OneDrive. Learn how to investigate anomaly detection alerts in Microsoft\r\nDefender for Cloud Apps.\r\nMicrosoft Defender for Cloud Apps alert for malicious OAuth apps\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nIdentify POLONIUM IOCs\r\nThis query identifies POLONIUM network IOCs within available Azure Sentinel network logging:\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/POLONIUMIPIoC.yaml\r\nDetect CreepySnail static URI parameters\r\nThe CreepySnail tool utilizes static URI parameters that can be detected using the following query:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml\r\nDetect Base64-encoded/transmitted machine usernames or IP addresses\r\nCreepySnail also utilizes Base64-encoded parameters to transmit information from the victim to threat actor. The\r\nfollowing queries detect machine usernames or IP addresses (based on Microsoft Defender for Endpoint logging)\r\nbeing transmitted under Base64 encoding in a web request:\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 11 of 12\n\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64IPInURLFromMDE.yaml\r\nDetect POLONIUM requests to predictable OneDrive file paths\r\nThe OneDrive capability that POLONIUM utilizes makes requests to predictable OneDrive file paths to access\r\nvarious folders and files. The following queries detect these paths in use:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml\r\nThe CreepyDrive implant makes a predictable sequence of requests to Microsoft authentication servers and\r\nOneDrive that can be detected using the following query:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml\r\nHunt for other suspicious encoded request parameters\r\nThe following hunting queries can be used to hunt for further suspicious encoded request parameters:\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/B64IPInURL.yaml\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml\r\nSource: https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/\r\nPage 12 of 12\n\nhttps://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ \n IPv4 C2 for POLONIUM CreepySnail\n135[.]125[.]147[.]170:80 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n185[.]244[.]129[.]79:63047 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n185[.]244[.]129[.]79:80 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n45[.]80[.]149[.]108:63047 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n45[.]80[.]149[.]108:80 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n45[.]80[.]149[.]57:63047 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n45[.]80[.]149[.]68:63047 \n address implant \n IPv4 C2 for POLONIUM CreepySnail\n45[.]80[.]149[.]71:80 \n address implant \n IPv4 \n185[.]244[.]129[.]109 C2 for POLONIUM plink tunnels\n address \n IPv4 \n172[.]96[.]188[.]51 C2 for POLONIUM plink tunnels\n address \n IPv4 \n51[.]83[.]246[.]73 C2 for POLONIUM plink tunnels\n address \nTrojan:PowerShell/CreepyDrive.A!dha Tool Custom implant signature\nTrojan:PowerShell/CreepyDrive.B!dha Tool Custom implant signature\nTrojan:PowerShell/CreepyDrive.C!dha Tool Custom implant signature\nTrojan:PowerShell/CreepyDrive.D!dha Tool Custom implant signature\nTrojan:PowerShell/CreepyDrive.E!dha Tool Custom implant signature\nTrojan:MSIL/CreepyBox.A!dha Tool Custom implant signature\nTrojan:MSIL/CreepyBox.B!dha Tool Custom implant signature\nTrojan:MSIL/CreepyBox.C!dha Tool Custom implant signature\nTrojan:MSIL/CreepyRing.A!dha Tool Custom implant signature\n Page 9 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ], "report_names": [ "exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9fb19abe-4035-4f22-a595-641b7f3443a9", "created_at": "2022-10-25T15:50:23.748944Z", "updated_at": "2026-04-10T02:00:05.395401Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens" ], "source_name": "MITRE:CopyKittens", "tools": [ "Cobalt Strike", "TDTESS", "Matryoshka" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f4557ed9-2455-44c5-a768-dfb80ccae259", "created_at": "2023-01-06T13:46:38.652329Z", "updated_at": "2026-04-10T02:00:03.055638Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "Slayer Kitten", "G0052" ], "source_name": "MISPGALAXY:CopyKittens", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df1109697af74948a23a2c83d6f4587d00b15903.pdf", "text": "https://archive.orkl.eu/df1109697af74948a23a2c83d6f4587d00b15903.txt", "img": "https://archive.orkl.eu/df1109697af74948a23a2c83d6f4587d00b15903.jpg" } }