{
	"id": "8441ae95-35d5-40a2-8f69-f004a1c7ef1b",
	"created_at": "2026-04-06T00:22:12.80368Z",
	"updated_at": "2026-04-10T03:36:17.197909Z",
	"deleted_at": null,
	"sha1_hash": "e4f7f82a9b2fe27ff51d18e97381e03c0a4b0734",
	"title": "Microsoft Defender for Cloud Archives | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49946,
	"plain_text": "Microsoft Defender for Cloud Archives | Microsoft Security Blog\r\nPublished: 2026-04-01 · Archived: 2026-04-05 22:41:48 UTC\r\nMitigating the Axios npm supply chain compromise\r\nOn March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly\r\npublished npm packages for version updates to download from command and control (C2) that Microsoft\r\nThreat Intelligence has attributed to the North Korean state actor Sapphire Sleet.\r\nAI as tradecraft: How threat actors operationalize AI\r\nThreat actors are operationalizing AI to scale and sustain malicious activity, accelerating tradecraft and\r\nincreasing risk for defenders, as illustrated by recent activity from North Korean groups such as Jasper\r\nSleet and Coral Sleet (formerly Storm-1877).\r\nHow Microsoft builds privacy and security to work hand-in-hand\r\nLearn how Microsoft unites privacy and security through advanced tools and global compliance to protect\r\ndata and build trust.\r\nDefending against the CVE-2025-55182 (React2Shell) vulnerability in React Server\r\nComponents\r\nCVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into\r\nit) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server\r\nComponents and related frameworks.\r\nShai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply\r\nchain attack\r\nThe Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem\r\ncompromises observed recently.\r\nNew IDC research highlights a major cloud security shift\r\nNew IDC research shows why CISOs must move toward AI-powered, integrated platforms like CNAPP,\r\nXDR, and SIEM to reduce risk, cut complexity, and strengthen resilience.\r\nInside the attack chain: Threat activity targeting Azure Blob Storage\r\nAzure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing\r\nmassive amounts of unstructured data at scale across diverse workloads and is increasingly targeted\r\nhttps://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/\r\nPage 1 of 2\n\nthrough sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud\r\ntactics.\r\nStorm-0501’s evolving techniques lead to cloud-based ransomware\r\nFinancially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve\r\nsharpened focus on cloud-based tactics, techniques, and procedures (TTPs).\r\nNew Russia-affiliated actor Void Blizzard targets critical sectors for espionage\r\nMicrosoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a\r\nthreat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has\r\nbeen active since at least April 2024.\r\nUnderstanding the threat landscape for Kubernetes and containerized assets\r\nThe dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or\r\npinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected.\r\nCyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and\r\ncountermeasures\r\nMicrosoft maintains a continuous effort to protect its platforms and customers from fraud and abuse.\r\nMalvertising campaign leads to info stealers hosted on GitHub\r\nMicrosoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one\r\nmillion devices globally.\r\nSource: https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/\r\nhttps://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/"
	],
	"report_names": [
		"windows-10-platform-resilience-against-the-petya-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e",
			"created_at": "2025-08-07T02:03:25.078429Z",
			"updated_at": "2026-04-10T02:00:03.811418Z",
			"deleted_at": null,
			"main_name": "NICKEL ALLEY",
			"aliases": [
				"CL-STA-0240 ",
				"Purplebravo Recorded Future",
				"Storm-1877 ",
				"Tenacious Pungsan "
			],
			"source_name": "Secureworks:NICKEL ALLEY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "810fada6-3a62-477e-ac11-2702f9a1ef80",
			"created_at": "2023-01-06T13:46:38.874104Z",
			"updated_at": "2026-04-10T02:00:03.129286Z",
			"deleted_at": null,
			"main_name": "STARDUST CHOLLIMA",
			"aliases": [
				"Sapphire Sleet"
			],
			"source_name": "MISPGALAXY:STARDUST CHOLLIMA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1f05374d-f103-4882-8f74-0c3081de112e",
			"created_at": "2025-06-29T02:01:57.226883Z",
			"updated_at": "2026-04-10T02:00:04.968464Z",
			"deleted_at": null,
			"main_name": "Void Blizzard",
			"aliases": [
				"Laundry Bear"
			],
			"source_name": "ETDA:Void Blizzard",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c2f84ab8-e990-4fa8-97db-81eb3166b207",
			"created_at": "2025-10-29T02:00:51.915334Z",
			"updated_at": "2026-04-10T02:00:05.318636Z",
			"deleted_at": null,
			"main_name": "Storm-0501",
			"aliases": [
				"Storm-0501"
			],
			"source_name": "MITRE:Storm-0501",
			"tools": [
				"Impacket",
				"Tasklist",
				"Cobalt Strike",
				"Rclone",
				"Nltest",
				"AADInternals"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dcb6e92a-83be-408c-bc06-80652883a996",
			"created_at": "2025-06-05T02:00:04.420438Z",
			"updated_at": "2026-04-10T02:00:03.88532Z",
			"deleted_at": null,
			"main_name": "Void Blizzard",
			"aliases": [
				"LAUNDRY BEAR",
				"UAC-0190"
			],
			"source_name": "MISPGALAXY:Void Blizzard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d05e8567-9517-4bd8-a952-5e8d66f68923",
			"created_at": "2024-11-13T13:15:31.114471Z",
			"updated_at": "2026-04-10T02:00:03.761535Z",
			"deleted_at": null,
			"main_name": "WageMole",
			"aliases": [
				"Void Dokkaebi",
				"WaterPlum",
				"PurpleBravo",
				"Famous Chollima",
				"UNC5267",
				"Wagemole",
				"Nickel Tapestry",
				"Storm-1877"
			],
			"source_name": "MISPGALAXY:WageMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0",
			"created_at": "2022-10-25T15:50:23.240383Z",
			"updated_at": "2026-04-10T02:00:05.299433Z",
			"deleted_at": null,
			"main_name": "APT38",
			"aliases": [
				"APT38",
				"NICKEL GLADSTONE",
				"BeagleBoyz",
				"Bluenoroff",
				"Stardust Chollima",
				"Sapphire Sleet",
				"COPERNICIUM"
			],
			"source_name": "MITRE:APT38",
			"tools": [
				"ECCENTRICBANDWAGON",
				"HOPLIGHT",
				"Mimikatz",
				"KillDisk",
				"DarkComet"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6a0c148e-64fe-40fa-a35a-4d9a6ddd7fb0",
			"created_at": "2024-10-04T02:00:04.769179Z",
			"updated_at": "2026-04-10T02:00:03.716865Z",
			"deleted_at": null,
			"main_name": "Storm-0501",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-0501",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd",
			"created_at": "2022-10-25T16:07:23.766784Z",
			"updated_at": "2026-04-10T02:00:04.7432Z",
			"deleted_at": null,
			"main_name": "Bluenoroff",
			"aliases": [
				"APT 38",
				"ATK 117",
				"Alluring Pisces",
				"Black Alicanto",
				"Bluenoroff",
				"CTG-6459",
				"Copernicium",
				"G0082",
				"Nickel Gladstone",
				"Sapphire Sleet",
				"Selective Pisces",
				"Stardust Chollima",
				"T-APT-15",
				"TA444",
				"TAG-71",
				"TEMP.Hermit"
			],
			"source_name": "ETDA:Bluenoroff",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ef59a0d9-c556-4448-8553-ed28f315d352",
			"created_at": "2025-06-29T02:01:57.047978Z",
			"updated_at": "2026-04-10T02:00:04.744218Z",
			"deleted_at": null,
			"main_name": "Operation Contagious Interview",
			"aliases": [
				"Jasper Sleet",
				"Nickel Tapestry",
				"Operation Contagious Interview",
				"PurpleBravo",
				"Storm-0287",
				"Tenacious Pungsan",
				"UNC5267",
				"Wagemole",
				"WaterPlum"
			],
			"source_name": "ETDA:Operation Contagious Interview",
			"tools": [
				"BeaverTail",
				"InvisibleFerret",
				"OtterCookie",
				"PylangGhost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4f7f82a9b2fe27ff51d18e97381e03c0a4b0734.pdf",
		"text": "https://archive.orkl.eu/e4f7f82a9b2fe27ff51d18e97381e03c0a4b0734.txt",
		"img": "https://archive.orkl.eu/e4f7f82a9b2fe27ff51d18e97381e03c0a4b0734.jpg"
	}
}