{ "id": "ea77cdea-08de-4de9-adaa-ae01c2c4bad9", "created_at": "2026-04-06T00:11:30.063316Z", "updated_at": "2026-04-10T03:37:32.458901Z", "deleted_at": null, "sha1_hash": "f2cbf4ebed314e4469ae9e04b9f35a24460558fa", "title": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 232481, "plain_text": "Midnight Blizzard conducts large-scale spear-phishing campaign\r\nusing RDP files\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-10-29 · Archived: 2026-04-05 21:34:21 UTC\r\nSince October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard\r\nsending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate\r\nand provide updates as available. Based on our investigation of previous Midnight Blizzard spear-phishing\r\ncampaigns, we assess that the goal of this operation is likely intelligence collection. Microsoft is releasing this\r\nblog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft.\r\nThe spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and\r\ncontained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.\r\nIn some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft\r\nemployees. The threat actor also referenced other cloud providers in the phishing lures.\r\nWhile this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration\r\nfile to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has\r\nalso been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the\r\ndesignation UAC-0215 and also by Amazon.\r\nMidnight Blizzard is a Russian threat actor attributed by the United States and United Kingdom governments to\r\nthe Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to\r\nprimarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service\r\nproviders, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and\r\ndedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise\r\nof valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication\r\nmechanisms within an organization to expand access and evade detection.\r\nMidnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses\r\ndiverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of\r\non-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain\r\naccess to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD\r\nFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors\r\nas APT29, UNC2452, and Cozy Bear.\r\nAs with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that\r\nhave been targeted or compromised, providing them with the necessary information to secure their accounts.\r\nStrong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 1 of 15\n\nagainst cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and\r\nrecommendations at the end of this post.\r\nSpear-phishing campaign\r\nOn October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing\r\nemails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering\r\nlures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a\r\nRemote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration\r\n(.RDP) files summarize automatic settings and resource mappings that are established when a successful\r\nconnection to an RDP server occurs. These configurations extend features and resources of the local system to a\r\nremote server, controlled by the actor.\r\nIn this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant\r\ninformation exposure. Once the target system was compromised, it connected to the actor-controlled server and\r\nbidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may\r\ninclude, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices,\r\naudio, and authentication features and facilities of the Windows operating system, including smart cards. This\r\naccess could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s),\r\nparticularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access\r\nwhen the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system\r\nmay also expose the credentials of the user signed in to the target system.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 2 of 15\n\nFigure 1. Malicious remote connection\r\nRDP connection\r\nWhen the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled\r\nsystem. The configuration of the RDP connection then allowed the actor-controlled system to discover and use\r\ninformation about the target system, including:\r\nFiles and directories\r\nConnected network drives\r\nConnected peripherals, including smart cards, printers, and microphones\r\nWeb authentication using Windows Hello, passkeys, or security keys\r\nClipboard data\r\nPoint of Service (also known as Point of Sale or POS) devices\r\nTargets\r\nMicrosoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and\r\nJapan. This target set is consistent with other Midnight Blizzard phishing campaigns.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 3 of 15\n\nEmail infrastructure\r\nMidnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate\r\norganizations that were gathered during previous compromises. The domains used are listed in the IOC section\r\nbelow.\r\nMitigations\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat.\r\nStrengthen operating environment configuration\r\nUtilize Windows Firewall or Windows Firewall with Advanced Security to help prevent or restrict\r\noutbound RDP connection attempts to external or public networks external or public networks\r\nRequire multifactor authentication (MFA). Implementation of MFA remains an essential pillar in identity\r\nsecurity and is highly effective at stopping a variety of threats.\r\nLeverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with\r\nnumber matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender\r\nSmartScreen, which identifies and help blocks malicious websites, including phishing sites, scam sites, and\r\nsites that host malware.\r\nStrengthen endpoint security configuration\r\nIf you are using Microsoft Defender for Endpoint take the following steps:\r\nEnsure tamper protection is turned on in Microsoft Defender for Endpoint.\r\nTurn on network protection in Microsoft Defender for Endpoint.\r\nTurn on web protection.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nhelp block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nhelp remediate malicious artifacts that are detected post-breach.\r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint\r\ntake immediate action on alerts to help resolve breaches, significantly reducing alert volume. \r\nMicrosoft Defender XDR customers can turn on the following attack surface reduction rules to help\r\nprevent common attack techniques used by threat actors.\r\nBlock executable content from email client and webmail\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nStrengthen antivirus configuration\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 4 of 15\n\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus\r\nproduct, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning\r\nprotections help block a majority of new and unknown variants.\r\nEnable Microsoft Defender Antivirus scanning of downloaded files and attachments.\r\nEnable Microsoft Defender Antivirus real-time protection.\r\nStrengthen Microsoft Office 365 configuration\r\nTurn on Safe Links and Safe Attachments for Office 365.\r\nEnable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly\r\nacquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages\r\nthat have already been delivered to mailboxes.\r\nStrengthen email security configuration\r\nInvest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example,\r\nMicrosoft Defender for Office 365 merges incident and alert management across email, devices, and\r\nidentities, centralizing investigations for email-based threats. Organizations can also leverage web\r\nbrowsers that automatically identify and help block malicious websites, including those used in phishing\r\nactivities.\r\nIf you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links\r\nprovides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click\r\nverification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and\r\nother locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam\r\nand anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP).\r\nSafe Links scanning can help protect an organization from malicious links used in phishing and other\r\nattacks.\r\nIf you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for\r\nOffice 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages\r\nand disclosing credentials.\r\nConduct user education\r\nRobust user education can help mitigate the threat of social engineering and phishing emails. Companies\r\nshould have a user education program that highlights how to identify and report suspicious emails.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender for Endpoint\r\nThe following alerts may also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nMidnight Blizzard Actor activity group\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 5 of 15\n\nSuspicious RDP session\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:\r\nBackdoor:Script/HustleCon.A\r\nMicrosoft Defender for Cloud\r\nThe following alerts may also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nCommunication with suspicious domain identified by threat intelligence\r\nSuspicious outgoing RDP network activity\r\nTraffic detected from IP addresses recommended for blocking\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 raises alerts on this campaign using email- and attachment-based detections.\r\nAdditionally, hunting signatures and an RDP file parser have been incorporated into detections to block similar\r\ncampaigns in the future. Defenders can identify such activity in alert titles referencing RDP, for example,\r\nTrojan_RDP*.\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nMidnight Blizzard targets NGOs in new wave of initial access campaigns.\r\nMidnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing\r\nactivity.\r\nHunting queries\r\nMicrosoft Defender XDR\r\nIdentify potential Midnight Blizzard targeted recipients \r\nSurface possible targeted email accounts within the environment where the email sender originated from a\r\nMidnight Blizzard compromised domain related to the RDP activity.\r\nEmailEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 6 of 15\n\n| where SenderFromDomain in~ (\"sellar.co.uk\", \"townoflakelure.com\", \"totalconstruction.com.au\",\r\n\"swpartners.com.au\", \"cewalton.com\")\r\n| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp\r\nSurface potential targets of an RDP attachment phishing attempt\r\nSurface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of\r\nthe email may have been targeted in an RDP attachment phishing attack attempt.\r\nEmailAttachmentInfo\r\n| where FileName has \".rdp\"\r\n| join kind=inner (EmailEvents) on NetworkMessageId\r\n| project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType\r\nIdentify potential successfully targeted assets in an RDP attachment phishing attack\r\nSurface devices that may have been targeted in an email with an RDP file attached, followed by an RDP\r\nconnection attempt from the device to an external network. This combined activity may indicate that a device may\r\nhave been successfully targeted in an RDP attachment phishing attack.\r\n// Step 1: Identify emails with RDP attachments\r\nlet rdpEmails = EmailAttachmentInfo\r\n| where FileName has \".rdp\"\r\n| join kind=inner (EmailEvents) on NetworkMessageId\r\n| project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress;\r\n// Step 2: Identify outbound RDP connections\r\nlet outboundRDPConnections = DeviceNetworkEvents\r\n| where RemotePort == 3389\r\n| where ActionType == \"ConnectionAttempt\"\r\n| where RemoteIPType == \"Public\"\r\n| project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP;\r\n// Step 3: Correlate email and network events\r\nrdpEmails\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 7 of 15\n\n| join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress ==\r\n$right.InitiatingProcessAccountUpn\r\n| project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId,\r\nRemoteIP\r\nThreat actor RDP connection files attached to email\r\nSurface users that may have received an RDP connection file attached in email that have been observed in this\r\nattack from Midnight Blizzard.\r\nEmailAttachmentInfo\r\n| where FileName in~ (\r\n\"AWS IAM Compliance Check.rdp\",\r\n\"AWS IAM Configuration.rdp\",\r\n\"AWS IAM Quick Start.rdp\",\r\n\"AWS SDE Compliance Check.rdp\",\r\n\"AWS SDE Environment Check.rdp\",\r\n\"AWS Secure Data Exchange - Compliance Check.rdp\",\r\n\"AWS Secure Data Exchange Compliance.rdp\",\r\n\"Device Configuration Verification.rdp\",\r\n\"Device Security Requirements Check.rdp\",\r\n\"IAM Identity Center Access.rdp\",\r\n\"IAM Identity Center Application Access.rdp\",\r\n\"Zero Trust Architecture Configuration.rdp\",\r\n\"Zero Trust Security Environment Compliance Check.rdp\",\r\n\"ZTS Device Compatibility Test.rdp\"\r\n)\r\n| project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 8 of 15\n\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nIndicators of compromise\r\nEmail sender domains\r\nDomains Last seen\r\nsellar[.]co.uk  October 23, 2024\r\ntownoflakelure[.]com  October 23, 2024\r\ntotalconstruction[.]com.au  October 23, 2024\r\nswpartners[.]com.au  October 23, 2024\r\ncewalton[.]com  October 23, 2024\r\nRDP file names\r\nAWS IAM Compliance Check.rdp\r\nAWS IAM Configuration.rdp\r\nAWS IAM Quick Start.rdp\r\nAWS SDE Compliance Check.rdp\r\nAWS SDE Environment Check.rdp\r\nAWS SDE Environment Check.rdp \r\nAWS Secure Data Exchange – Compliance Check.rdp\r\nAWS Secure Data Exchange Compliance.rdp\r\nDevice Configuration Verification.rdp\r\nDevice Security Requirements Check.rdp\r\nIAM Identity Center Access.rdp\r\nIAM Identity Center Application Access.rdp\r\nZero Trust Architecture Configuration.rdp\r\nZero Trust Security Environment Compliance Check.rdp\r\nZTS Device Compatibility Test.rdp\r\nRDP remote computer domains\r\nap-northeast-1-aws.s3-ua[.]cloud ap-northeast-1-aws.ukrainesec[.]cloud\r\nca-central-1.gov-ua[.]cloud ca-central-1.ua-gov[.]cloud\r\nca-west-1.aws-ukraine[.]cloud ca-west-1.mfa-gov[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 9 of 15\n\nca-west-1.ukrtelecom[.]cloud central-2-aws.ua-mil[.]cloud\r\ncentral-2-aws.ua-sec[.]cloud central-2-aws.ukrainesec[.]cloud\r\ncentral-2-aws.ukrtelecom[.]cloud eu-central-1.difesa-it[.]cloud\r\neu-central-1.mfa-gov[.]cloud eu-central-1.mil-be[.]cloud\r\neu-central-1.mil-pl[.]cloud eu-central-1.minbuza[.]cloud\r\neu-central-1.mindef-nl[.]cloud eu-central-1.msz-pl[.]cloud\r\neu-central-1.quirinale[.]cloud eu-central-1.regeringskansliet-se[.]cloud\r\neu-central-1.s3-be[.]cloud eu-central-1.s3-esa[.]cloud\r\neu-central-1.s3-nato[.]cloud eu-central-1.ua-gov[.]cloud\r\neu-central-1.ua-sec[.]cloud eu-central-1.ukrtelecom[.]cloud\r\neu-central-1-aws.amazonsolutions[.]cloud eu-central-1-aws.dep-no[.]cloud\r\neu-central-1-aws.gov-pl[.]cloud eu-central-1-aws.gov-sk[.]cloud\r\neu-central-1-aws.gov-trust[.]cloud eu-central-1-aws.mfa-gov[.]cloud\r\neu-central-1-aws.minbuza[.]cloud eu-central-1-aws.mindef-nl[.]cloud\r\neu-central-1-aws.msz-pl[.]cloud eu-central-1-aws.mzv-sk[.]cloud\r\neu-central-1-aws.ncfta[.]cloud eu-central-1-aws.presidencia-pt[.]cloud\r\neu-central-1-aws.quirinale[.]cloud eu-central-1-aws.regeringskansliet-se[.]cloud\r\neu-central-1-aws.s3-be[.]cloud eu-central-1-aws.s3-ua[.]cloud\r\neu-central-1-aws.ua-gov[.]cloud eu-central-1-aws.ukrainesec[.]cloud\r\neu-central-2-aws.amazonsolutions[.]cloud eu-central-2-aws.aws-ukraine[.]cloud\r\neu-central-2-aws.dep-no[.]cloud eu-central-2-aws.gov-pl[.]cloud\r\neu-central-2-aws.gov-sk[.]cloud eu-central-2-aws.mil-be[.]cloud\r\neu-central-2-aws.mil-pl[.]cloud eu-central-2-aws.mindef-nl[.]cloud\r\neu-central-2-aws.msz-pl[.]cloud eu-central-2-aws.mzv-sk[.]cloud\r\neu-central-2-aws.presidencia-pt[.]cloud eu-central-2-aws.regeringskansliet-se[.]cloud\r\neu-central-2-aws.s3-be[.]cloud eu-central-2-aws.ua-gov[.]cloud\r\neu-central-2-aws.ua-mil[.]cloud eu-central-2-aws.ukrtelecom[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 10 of 15\n\neu-east-1-aws.amazonsolutions[.]cloud eu-east-1-aws.dep-no[.]cloud\r\neu-east-1-aws.gov-sk[.]cloud eu-east-1-aws.gov-ua[.]cloud\r\neu-east-1-aws.mil-be[.]cloud eu-east-1-aws.mil-pl[.]cloud\r\neu-east-1-aws.minbuza[.]cloud eu-east-1-aws.mindef-nl[.]cloud\r\neu-east-1-aws.msz-pl[.]cloud eu-east-1-aws.mzv-sk[.]cloud\r\neu-east-1-aws.quirinale[.]cloud eu-east-1-aws.regeringskansliet-se[.]cloud\r\neu-east-1-aws.s3-be[.]cloud eu-east-1-aws.s3-de[.]cloud\r\neu-east-1-aws.ua-gov[.]cloud eu-east-1-aws.ua-sec[.]cloud\r\neu-east-1-aws.ukrtelecom[.]cloud eu-north-1.difesa-it[.]cloud\r\neu-north-1.gov-trust[.]cloud eu-north-1.gov-ua[.]cloud\r\neu-north-1.gv-at[.]cloud eu-north-1.mil-be[.]cloud\r\neu-north-1.mil-pl[.]cloud eu-north-1.mzv-sk[.]cloud\r\neu-north-1.ncfta[.]cloud eu-north-1.regeringskansliet-se[.]cloud\r\neu-north-1.s3-be[.]cloud eu-north-1.s3-de[.]cloud\r\neu-north-1.s3-ua[.]cloud eu-north-1-aws.dep-no[.]cloud\r\neu-north-1-aws.difesa-it[.]cloud eu-north-1-aws.gov-pl[.]cloud\r\neu-north-1-aws.gov-sk[.]cloud eu-north-1-aws.mil-be[.]cloud\r\neu-north-1-aws.mil-pl[.]cloud eu-north-1-aws.minbuza[.]cloud\r\neu-north-1-aws.ncfta[.]cloud eu-north-1-aws.presidencia-pt[.]cloud\r\neu-north-1-aws.quirinale[.]cloud eu-north-1-aws.regeringskansliet-se[.]cloud\r\neu-north-1-aws.s3-be[.]cloud eu-north-1-aws.s3-de[.]cloud\r\neu-north-1-aws.ua-energy[.]cloud eu-north-1-aws.ua-gov[.]cloud\r\neu-south-1-aws.admin-ch[.]cloud eu-south-1-aws.dep-no[.]cloud\r\neu-south-1-aws.difesa-it[.]cloud eu-south-1-aws.gov-pl[.]cloud\r\neu-south-1-aws.gov-trust[.]cloud eu-south-1-aws.mfa-gov[.]cloud\r\neu-south-1-aws.mil-be[.]cloud eu-south-1-aws.minbuza[.]cloud\r\neu-south-1-aws.mzv-sk[.]cloud eu-south-1-aws.quirinale[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 11 of 15\n\neu-south-1-aws.s3-be[.]cloud eu-south-1-aws.s3-de[.]cloud\r\neu-south-1-aws.ua-gov[.]cloud eu-south-2.dep-no[.]cloud\r\neu-south-2.gov-pl[.]cloud eu-south-2.gov-sk[.]cloud\r\neu-south-2.mil-be[.]cloud eu-south-2.mil-pl[.]cloud\r\neu-south-2.mindef-nl[.]cloud eu-south-2.s3-be[.]cloud\r\neu-south-2.s3-de[.]cloud eu-south-2.s3-esa[.]cloud\r\neu-south-2.s3-nato[.]cloud eu-south-2.ua-sec[.]cloud\r\neu-south-2.ukrainesec[.]cloud eu-south-2-aws.amazonsolutions[.]cloud\r\neu-south-2-aws.dep-no[.]cloud eu-south-2-aws.gov-pl[.]cloud\r\neu-south-2-aws.gov-sk[.]cloud eu-south-2-aws.mfa-gov[.]cloud\r\neu-south-2-aws.mil-be[.]cloud eu-south-2-aws.mil-pl[.]cloud\r\neu-south-2-aws.mil-pt[.]cloud eu-south-2-aws.minbuza[.]cloud\r\neu-south-2-aws.msz-pl[.]cloud eu-south-2-aws.mzv-sk[.]cloud\r\neu-south-2-aws.ncfta[.]cloud eu-south-2-aws.quirinale[.]cloud\r\neu-south-2-aws.regeringskansliet-se[.]cloud eu-south-2-aws.s3-be[.]cloud\r\neu-south-2-aws.s3-de[.]cloud eu-south-2-aws.s3-esa[.]cloud\r\neu-south-2-aws.s3-nato[.]cloud eu-south-2-aws.s3-ua[.]cloud\r\neu-south-2-aws.ua-gov[.]cloud eu-southeast-1-aws.amazonsolutions[.]cloud\r\neu-southeast-1-aws.aws-ukraine[.]cloud eu-southeast-1-aws.dep-no[.]cloud\r\neu-southeast-1-aws.difesa-it[.]cloud eu-southeast-1-aws.gov-sk[.]cloud\r\neu-southeast-1-aws.gov-trust[.]cloud eu-southeast-1-aws.mil-be[.]cloud\r\neu-southeast-1-aws.mil-pl[.]cloud eu-southeast-1-aws.mindef-nl[.]cloud\r\neu-southeast-1-aws.msz-pl[.]cloud eu-southeast-1-aws.mzv-cz[.]cloud\r\neu-southeast-1-aws.mzv-sk[.]cloud eu-southeast-1-aws.quirinale[.]cloud\r\neu-southeast-1-aws.s3-be[.]cloud eu-southeast-1-aws.s3-de[.]cloud\r\neu-southeast-1-aws.s3-esa[.]cloud eu-southeast-1-aws.s3-ua[.]cloud\r\neu-southeast-1-aws.ua-energy[.]cloud eu-southeast-1-aws.ukrainesec[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 12 of 15\n\neu-west-1.aws-ukraine[.]cloud eu-west-1.difesa-it[.]cloud\r\neu-west-1.gov-sk[.]cloud eu-west-1.mil-be[.]cloud\r\neu-west-1.mil-pl[.]cloud eu-west-1.minbuza[.]cloud\r\neu-west-1.msz-pl[.]cloud eu-west-1.mzv-sk[.]cloud\r\neu-west-1.regeringskansliet-se[.]cloud eu-west-1.s3-de[.]cloud\r\neu-west-1.s3-esa[.]cloud eu-west-1.s3-ua[.]cloud\r\neu-west-1.ua-gov[.]cloud eu-west-1.ukrtelecom[.]cloud\r\neu-west-1-aws.amazonsolutions[.]cloud eu-west-1-aws.aws-ukraine[.]cloud\r\neu-west-1-aws.dep-no[.]cloud eu-west-1-aws.gov-pl[.]cloud\r\neu-west-1-aws.gov-sk[.]cloud eu-west-1-aws.gov-trust[.]cloud\r\neu-west-1-aws.gov-ua[.]cloud eu-west-1-aws.mil-be[.]cloud\r\neu-west-1-aws.mil-pl[.]cloud eu-west-1-aws.minbuza[.]cloud\r\neu-west-1-aws.quirinale[.]cloud eu-west-1-aws.s3-be[.]cloud\r\neu-west-1-aws.s3-de[.]cloud eu-west-1-aws.s3-esa[.]cloud\r\neu-west-1-aws.s3-nato[.]cloud eu-west-1-aws.ua-sec[.]cloud\r\neu-west-1-aws.ukrainesec[.]cloud eu-west-2-aws.amazonsolutions[.]cloud\r\neu-west-2-aws.dep-no[.]cloud eu-west-2-aws.difesa-it[.]cloud\r\neu-west-2-aws.gov-pl[.]cloud eu-west-2-aws.gov-sk[.]cloud\r\neu-west-2-aws.gv-at[.]cloud eu-west-2-aws.mil-be[.]cloud\r\neu-west-2-aws.mil-pl[.]cloud eu-west-2-aws.minbuza[.]cloud\r\neu-west-2-aws.mindef-nl[.]cloud eu-west-2-aws.msz-pl[.]cloud\r\neu-west-2-aws.mzv-sk[.]cloud eu-west-2-aws.quirinale[.]cloud\r\neu-west-2-aws.s3-be[.]cloud eu-west-2-aws.s3-de[.]cloud\r\neu-west-2-aws.s3-esa[.]cloud eu-west-2-aws.s3-nato[.]cloud\r\neu-west-2-aws.s3-ua[.]cloud eu-west-2-aws.ua-sec[.]cloud\r\neu-west-3.amazonsolutions[.]cloud eu-west-3.aws-ukraine[.]cloud\r\neu-west-3.mil-be[.]cloud eu-west-3.mil-pl[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 13 of 15\n\neu-west-3.minbuza[.]cloud eu-west-3.mindef-nl[.]cloud\r\neu-west-3.msz-pl[.]cloud eu-west-3.mzv-sk[.]cloud\r\neu-west-3.presidencia-pt[.]cloud eu-west-3.s3-be[.]cloud\r\neu-west-3.s3-ua[.]cloud eu-west-3.ukrainesec[.]cloud\r\neu-west-3.ukrtelecom[.]cloud eu-west-3-aws.aws-ukraine[.]cloud\r\neu-west-3-aws.dep-no[.]cloud eu-west-3-aws.difesa-it[.]cloud\r\neu-west-3-aws.gov-pl[.]cloud eu-west-3-aws.gov-sk[.]cloud\r\neu-west-3-aws.gov-trust[.]cloud eu-west-3-aws.mil-be[.]cloud\r\neu-west-3-aws.mil-pl[.]cloud eu-west-3-aws.mil-pt[.]cloud\r\neu-west-3-aws.minbuza[.]cloud eu-west-3-aws.mindef-nl[.]cloud\r\neu-west-3-aws.msz-pl[.]cloud eu-west-3-aws.mzv-sk[.]cloud\r\neu-west-3-aws.quirinale[.]cloud eu-west-3-aws.regeringskansliet-se[.]cloud\r\neu-west-3-aws.s3-be[.]cloud eu-west-3-aws.s3-ua[.]cloud\r\neu-west-3-aws.ua-mil[.]cloud us-east-1-aws.mfa-gov[.]cloud\r\nus-east-1-aws.s3-ua[.]cloud us-east-1-aws.ua-gov[.]cloud\r\nus-east-1-aws.ua-sec[.]cloud us-east-2.aws-ukraine[.]cloud\r\nus-east-2.gov-ua[.]cloud us-east-2.ua-sec[.]cloud\r\nus-east-2.ukrainesec[.]cloud us-east-2-aws.gov-ua[.]cloud\r\nus-east-2-aws.ua-gov[.]cloud us-east-2-aws.ukrtelecom[.]cloud\r\nus-east-console.aws-ukraine[.]cloud us-east-console.ua-energy[.]cloud\r\nus-west-1.aws-ukraine[.]cloud us-west-1.ua-energy[.]cloud\r\nus-west-1.ua-gov[.]cloud us-west-1.ukrtelecom[.]cloud\r\nus-west-1-amazon.ua-energy[.]cloud us-west-1-amazon.ua-mil[.]cloud\r\nus-west-1-amazon.ua-sec[.]cloud us-west-1-aws.gov-ua[.]cloud\r\nus-west-2.gov-ua[.]cloud us-west-2.ua-energy[.]cloud\r\nus-west-2.ua-sec[.]cloud us-west-2-aws.mfa-gov[.]cloud\r\nus-west-2-aws.s3-ua[.]cloud us-west-2-aws.ua-energy[.]cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 14 of 15\n\nReferences\r\nhttps://cert.gov.ua/article/6281076\r\nhttps://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/\r\nhttps://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF\r\nhttps://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/?msockid=392e4194f0f26165030055c3f1de6080\r\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/?msockid=392e4194f0f26165030055c3f1de6080\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rd\r\np-files/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "report_names": [ "midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "159b44ab-8a1c-4b6b-af29-05da47ec94c0", "created_at": "2024-11-03T02:00:03.646014Z", "updated_at": "2026-04-10T02:00:03.737465Z", "deleted_at": null, "main_name": "UAC-0215", "aliases": [], "source_name": "MISPGALAXY:UAC-0215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434290, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2cbf4ebed314e4469ae9e04b9f35a24460558fa.pdf", "text": "https://archive.orkl.eu/f2cbf4ebed314e4469ae9e04b9f35a24460558fa.txt", "img": "https://archive.orkl.eu/f2cbf4ebed314e4469ae9e04b9f35a24460558fa.jpg" } }