{ "id": "20b505a6-4ebf-443a-8081-3182f8103ae3", "created_at": "2026-04-06T00:10:37.706165Z", "updated_at": "2026-04-10T03:34:22.636872Z", "deleted_at": null, "sha1_hash": "fee7becef17bc8e56a9ae72fff67422bf014f00a", "title": "MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1669137, "plain_text": "MERCURY and DEV-1084: Destructive attack on hybrid environment |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-04-07 · Archived: 2026-04-05 17:21:34 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. MERCURY is now tracked as Mango Sandstorm and DEV-1084 is now tracked as Storm-1084.\r\nTo learn more about the new taxonomy represents the origin, unique traits, and impact of threat actors, to get complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nMicrosoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the\r\nIranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to\r\nmasquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption\r\nwere the ultimate goals of the operation.\r\nPrevious MERCURY attacks have been observed targeting on-premises environments, however, the impact in this case\r\nnotably also included destruction of cloud resources. Microsoft assesses that MERCURY likely worked in partnership\r\nwith another actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after MERCURY’s\r\nsuccessful operations had gained access to the target environment.\r\nMERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access\r\nto DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the\r\nnetwork, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was then later\r\nobserved leveraging highly privileged compromised credentials to perform en masse destruction of resources, including\r\nserver farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.\r\nIn this blog post, we detail our analysis of the observed actor activity and related tools. We also share information to the\r\ncommunity and industry partners on ways to detect these attacks, including detection details of MERCURY and DEV-1084’s tools in Microsoft 365 Defender, Microsoft Defender for Identity, Microsoft Defender for Cloud Applications,\r\nMicrosoft Defender Antivirus, and Microsoft Defender for Endpoint. As with any observed nation-state actor activity,\r\nMicrosoft has directly notified targeted or compromised customers, providing them with important information needed to\r\nsecure their environments.\r\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of\r\nthreat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the\r\norigin or identity of the actor behind the activity.\r\nWho is DEV-1084?\r\nMicrosoft tracks the destructive actions documented in this blog post as DEV-1084. DEV-1084 likely worked in\r\npartnership with MERCURY—an Iran-based actor that the US Cyber Command has publicly linked to Iran’s Ministry of\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 1 of 15\n\nIntelligence and Security (MOIS). DEV-1084 publicly adopted the DarkBit persona and presented itself as a criminal\r\nactor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack.\r\nThe link between the DEV-1084 cluster and MERCURY was established based on the following evidence:\r\nDEV-1084 operators were observed sending threatening emails from 146.70.106[.]89, an IP address previously\r\nlinked to MERCURY.\r\nDEV-1084 used MULLVAD VPN, the same VPN provider historically used by MERCURY.\r\nDEV-1084 used Rport and a customized version of Ligolo. MERCURY has also been observed using Rport and a\r\nsimilar version of Ligolo in previous attacks.\r\nDEV-1084 used the vatacloud[.]com domain for command and control (C2) during this incident. Microsoft\r\nassesses with high-confidence that the vatacloud[.]com domain is controlled by MERCURY operators.\r\nMicrosoft assesses that MERCURY gains access to the targets through remote exploitation of an unpatched internet-facing device. MERCURY then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates\r\nindependently of MERCURY and works with other Iranian actors or if DEV-1084 is an ‘effects based’ sub-team of\r\nMERCURY that only surfaces when MERCURY operators are instructed to carry out a destructive attack.\r\nMicrosoft assesses with moderate confidence that the threat actors attempted several times and succeeded to perform\r\ninitial intrusion leveraging exposed vulnerable applications, for example, continuing to exploit Log4j 2 vulnerabilities in\r\nunpatched systems in July 2022.\r\nAfter gaining access, the threat actors deploy several tools and leverage techniques to maintain persistence, which provide\r\neffective and continued access to compromised devices, such as the following:\r\nInstalling web shells\r\nAdding a local user account and elevating privileges to local administrator\r\nInstalling legitimate remote access tools, such as RPort, Ligolo and eHorus\r\nInstalling a customized PowerShell script backdoor\r\nStealing credentials\r\nOnce the persistence is established, the threat actors perform extensive discovery leveraging common native Windows\r\ntools and commands such as netstat and nltest. Such reconnaissance activities were seen leveraged throughout the attack\r\nchain.\r\nThe threat actors consistently perform extensive lateral movement actions using the acquired credentials within a targeted\r\nenvironment. These actions mainly involved:\r\nRemote scheduled tasks to launch their customized PowerShell backdoor\r\nWindows Management Instrumentation (WMI) to launch commands on devices\r\nRemote services to run encoded PowerShell commands\r\nAfter infecting the new devices, the threat actors often installed the same persistence mechanisms as described above.\r\nInterestingly, after each main attack step, the actors did not always immediately continue their operations but would wait\r\nweeks and sometimes months before moving to the next step.\r\nFor execution and communication, the threat actors leverage several C2 servers and sometimes deploy tunnelling tools,\r\nsuch as Ligolo and OpenSSH, commonly leveraged to stay under the radar of security teams and solutions.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 2 of 15\n\nOn-premises destructive impact\r\nIn observed activity, the threat actors leveraged highly privileged credentials and access to domain controllers on on-premises destructive operations to prepare for large-scale encryption of targeted devices.\r\nTo do so, they first interfered with security tools using Group Policy Objects (GPO). With defenses impaired, the threat\r\nactors proceeded to stage the ransomware payload in the NETLOGON shares on several domain controllers.\r\nGPO was leveraged again to register a scheduled task used to launch the ransomware payload. Finally, the ransomware\r\npayload encrypted files found on the file system of the targeted devices by changing the file name extension to DARKBIT\r\nand dropped ransom notes.\r\nFigure 1. On-premises attack flow\r\nMoving from on-premises to cloud\r\nTo move from on-premises to the cloud, the threat actors had to first compromise two privileged accounts and leverage\r\nthem to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks before the ransomware\r\ndeployment, the threat actors first used a compromised, highly privileged account to access the device where the\r\nAzure Active Directory (Azure AD) Connect agent is installed. We assess with high confidence that the threat actors then\r\nused the AADInternals tool to extract the plaintext credentials of a privileged Azure AD account. The threat actors then\r\nused these credentials to pivot from the on-premises environment to the Azure AD environment.\r\nAzure AD Connect is an on-premises application for managing hybrid identities through features like password hash\r\nsynchronization, pass-through authentication, objects synchronization, and others. As part of the express settings\r\ninstallation process, multiple accounts are created both in the on-premises (Windows Server Active Directory) and cloud\r\n(Azure AD) environments. The first account is the AD DS Connector Account. The account name is prefixed with MSOL_\r\nand it is created with a long complex password.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 3 of 15\n\nFigure 2. Example of AD DS Connector account\r\nThis account’s permissions are set based on features enabled during the service’s installation, but in most common\r\nscenarios, the account has permissions to replicate directory changes, modify passwords, modify users, modify groups,\r\nand so on (see all the permissions here). In addition, during installation, an Azure AD account called the Azure AD\r\nConnector Account is also created. This account is used by the synchronization service to manage Azure AD objects. The\r\naccount is created with a long complex password as well, and by default (if using the express settings) prefixed with\r\nSync_[ServerName]. This user is assigned with the Directory Synchronization Accounts role (see detailed permissions of\r\nthis role here). In older versions, this account might be assigned with the Global Administrator role.\r\nFigure 3. Example of an Azure AD Connector account\r\nThere are other entities detailed here that are created but are less relevant to this topic.\r\nTwo weeks before the ransomware deployment, the threat actors were observed using compromised credentials to access\r\nthe Azure AD Connect device. Next, they set up an SSH tunnel to an attacker-controlled device. On a separate attacker-controlled compromised device, evidence indicates cloning of the AADInternals tool. One of the functions available in\r\nthis tool’s library is Get-AADIntSyncCredentials, which allows any local administrator on a device where Azure AD\r\nConnect is installed to extract the plaintext credentials of both the Azure AD Connector account and the AD DS\r\nConnector account.\r\nShortly before the ransomware deployment, we observed authentication from a known attacker IP address into the Azure\r\nAD Connector cloud account. Investigating this sign-in showed that the threat actors were able to access the account on\r\nthe first attempt without any guessing or modification of the password, indicating that the actors possessed the password\r\nfor this account. The Azure AD Connector account is configured with single-factor authentication, making it easier for the\r\nattacker to gain entry and elevate privileges.\r\nCloud destructive impact\r\nOn the day of the ransomware attack, the threat actors executed multiple actions in the cloud using two privileged\r\naccounts. The first account was the compromised Azure AD Connector account, which had Global Administrator\r\npermissions as it was set up for an old solution (DirSync). For the second account, which also had Global Administrator\r\npermissions, the threat actors leveraged RDP for access into the account. Even though this account had MFA in place, the\r\nthreat actors accessed it through RDP, which is an open session that evades MFA blocking their activities.\r\nFigure 4. Pivoting to the cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 4 of 15\n\nMass Azure resource deletion\r\nOn the same day, a successful sign-in to the Microsoft Azure environment was observed. The threat actors claimed the\r\nGlobal Administrator permission through Azure Privileged Identity Management (PIM) and elevated access to get\r\npermissions to the target’s management groups and Azure subscriptions. The Azure AD Connector account and the\r\ncompromised administrator account were then used to perform significant destruction of the Azure environment—\r\ndeleting within a few hours server farms, virtual machines, storage accounts, and virtual networks. We assess that the\r\nattacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services.\r\nExchange Web Server API abuse\r\nThe actors went on to provide an existing legitimate OAuth application with both the full_access_as_app permission and\r\nadministrator consent, which granted the threat actors full access to mailboxes through Exchange Web Services.\r\nFigure 5. Adding access permission to the existing application\r\nWith the obtained cloud administrator privileges, the threat actors updated the OAuth application with certificates to\r\nconduct malicious activities.  These newly added credentials could then be used to issue access tokens and authenticate on\r\nbehalf of the application to access cloud resources.\r\nWe then observed the threat actors using this application’s permissions to perform GetItem operations over many\r\nmailboxes in the target environment. They also performed thousands of search activities, which we suspect were attempts\r\nto dump mailboxes and/or search for sensitive data in them.\r\nEmail impersonation\r\nThe threat actors used the compromised administrator account to grant SMTP Send on behalf permissions to the Azure\r\nAD Connector account over a high-ranking employee’s mailbox, using the Set-Mailbox PowerShell cmdlet.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 5 of 15\n\nFigure 6. Threat actors granting access to send emails on behalf of the target’s account\r\nEmails were then created and sent both internally and externally.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 6 of 15\n\nFigure 7. Threat actors successfully sent email through the targeted account\r\nThe timeline below summarizes the sequence of events:\r\nFigure 8. Cloud attack flow timeline\r\nMitigations for destructive attacks\r\nThe techniques used by the actors and described in this blog can be mitigated by adopting the following security\r\nmeasures: \r\nRecommendations to secure your on-prem environment\r\nRefer to Microsoft’s blog Ransomware as a service: Understanding the cybercrime gig economy and how to\r\nprotect yourself for recommendations on building strong credential hygiene and other robust measures to defend\r\nagainst ransomware and human operated attacks.\r\nEnable tamper protection – Tamper protection is a feature in Microsoft Defender for Endpoint that prevents\r\nantivirus tampering and misconfiguration by malicious apps and actors. Customers running Intune can enable\r\nDisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.\r\nRecommendations to secure your Azure AD environment\r\nEnable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user\r\nattempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling\r\npolicies such as device compliance or trusted IP address requirements.\r\nEnable continuous access evaluation – Continuous access evaluation (CAE) revokes access in real time when\r\nchanges in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.\r\nSearch unified audit logs for the SendAs operation to identify and track emails sent on behalf of a user mailbox.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 7 of 15\n\nFurther steps and recommendation to manage, design, and secure your Azure AD environment can be found by\r\nreferring to Azure Identity Management and access control security best practices.\r\nDetections\r\nMicrosoft 365 Defender\r\nThe following alerts in Microsoft 365 Defender can be used to detect suspicious operations in Azure related to the\r\nattacker activities described in this blog, including destructive activity:\r\nAccess elevation by risky user\r\nSuspicious Azure resource deletions\r\nSuspicious Addition of an Exchange related App Role\r\nIn addition, the following alert can help detect compromised Azure AD Connect accounts:\r\nUnusual activities by Azure AD Connect sync account\r\nMicrosoft Defender for Cloud Apps\r\nFor Microsoft Defender for Cloud Apps with Azure Connector enabled, the following alerts can be used to detect\r\ndestructive operations in Azure:\r\nMultiple storage deletion activities\r\nMultiple delete VM activities\r\nMonitor medium and high severity alerts for highly privileged accounts as they can indicate malicious activity. For\r\nexample:\r\nUnfamiliar sign-in properties\r\nFind details of Azure AD Identity Protection alerts here.\r\nMicrosoft Defender for Identity\r\nThe following Microsoft Defender for Identity alerts can indicate associated threat activity:\r\nSuspicious additions to sensitive groups\r\nFor relevant accounts with Honeytoken configured, the following alert can indicate malicious activity:\r\nHoneytoken activity\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock most new and unknown threats. Refer to the list of detection names related to exploitation of Log4j 2\r\nvulnerabilities. Detections for the IOCs listed above are listed below:\r\nBackdoor:PHP/Remoteshell.V\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 8 of 15\n\nHackTool:Win32/LSADump\r\nVirTool:Win32/RemoteExec\r\nTrojan:PowerShell/Downloader.SB\r\nTrojan:Win32/Nibtse.G!tsk\r\nBackdoor:ASP/Shellman.SA\r\nRansom:Win64/DarkBit\r\nVirTool:Win32/AtExecCommand\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint alerts with the following titles can indicate possible presence of the indicators of\r\ncompromise listed below.\r\nMercury actor activity detected\r\nRansomware-linked emerging threat actor DEV-1084 detected\r\nReducing the attack surface\r\nMicrosoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or audit some\r\nobserved activity associated with this threat:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nImplement controlled folder access and add folders to the protected folders list to help prevent files from being\r\naltered or encrypted by ransomware. Set controlled folder access to Enabled.\r\nDetecting Log4j 2 exploitation\r\nAlerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately\r\ninvestigated and remediated. Refer to our Log4j related blogs to learn about this vulnerability and for a list of Microsoft\r\nDefender for Endpoint alerts that can indicate exploitation and exploitation attempts.\r\nDetecting post-exploitation activity\r\nAlerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity described in\r\nthis blog and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux\r\nplatforms:\r\nAny alert title related to web shell threats, for example:\r\n‘WebShell’ backdoor was prevented on an IIS Web server\r\nAny alert title that mentions the DarkBit ransomware threat or DEV-1084, for example:\r\n‘DarkBit’ ransomware was blocked\r\n‘DarkBit’ ransomware was detected\r\n‘DarkBit’ ransomware was prevented\r\nRansomware-linked emerging threat actor DEV-1084 detected\r\nAny alert title that mentions suspicious scheduled task creation or execution, for example:\r\nSuspicious scheduled task\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 9 of 15\n\nAny alert title that mentions suspected tunneling activity, for example:\r\nSuspicious SSH tunneling activity\r\nAny alert title that mentions suspected tampering activity, for example:\r\nSuspicious Microsoft Defender Antivirus exclusion\r\nMicrosoft Defender Antivirus tampering\r\nAny alert title that mentions PowerShell, for example:\r\nSuspicious process executed PowerShell command\r\nA malicious PowerShell Cmdlet was invoked on the machine\r\nSuspicious PowerShell command line\r\nSuspicious PowerShell download or encoded command execution\r\nSuspicious remote PowerShell execution\r\nAny alert title related to suspicious remote activity, for example:\r\nSuspicious RDP session\r\nAn active ‘RemoteExec’ malware was blocked\r\nSuspicious service registration\r\nAny alert related to persistence:\r\nAnomaly detected in ASEP registry\r\nUser account created under suspicious circumstances\r\nAny alert title that mentions credential dumping activity or tools, for example:\r\nMalicious credential theft tool execution detected\r\nCredential dumping activity observed\r\nMimikatz credential theft tool\r\n‘DumpLsass’ malware was blocked on a Microsoft SQL server\r\nMicrosoft Defender Vulnerability Management\r\nIn addition to the mitigations above being presented and managed through Microsoft Defender Vulnerability\r\nManagement, Microsoft 365 Defender customers can use threat and vulnerability management to identify and remediate\r\ndevices that are vulnerable to Log4j 2 exploitation. More comprehensive guidance on this capability can be found on this\r\nblog: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.\r\nAdvanced hunting queries\r\nMicrosoft 365 Defender\r\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\r\n// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor installation\r\nDeviceFileEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 10 of 15\n\n| where InitiatingProcessFileName =~ \"powershell.exe\"\r\n| where FolderPath in~ (@\"c:\\programdata\\db.ps1\", @\"c:\\programdata\\db.sqlite\")\r\n| summarize min(Timestamp), max(Timestamp) by DeviceId, SHA256, InitiatingProcessParentFileName\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"powershell.exe\"\r\n| where InitiatingProcessCommandLine has_cs \"-EP BYPASS -NoP -W h\"\r\n| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId\r\n// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor initiating commands\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"powershell.exe\"\r\n| where InitiatingProcessCommandLine contains_cs @\"c:\\programdata\\db.ps1\"\r\n| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId\r\n//Advanced Hunting Query for Azure resource deletion activity\r\nlet PrivEscalation = CloudAppEvents\r\n| where Application == \"Microsoft Azure\"\r\n| where ActionType == \"ElevateAccess Microsoft.Authorization\"\r\n| where ActivityObjects has \"Azure Subscription\" and ActivityObjects has \"Azure Resource Group\"\r\n| extend PrivEscalationTime = Timestamp\r\n| project AccountObjectId, PrivEscalationTime ,ActionType;\r\nCloudAppEvents\r\n| join kind = inner PrivEscalation on AccountObjectId\r\n| extend DeletionTime = Timestamp\r\n| where (DeletionTime - PrivEscalationTime) \u003c= 1h\r\n| where Application == \"Microsoft Azure\"\r\n| where ActionType has \"Delete\"\r\n|summarize min(DeletionTime), TotalResourcersDeleted =count(), CountOfDistinctResources=\r\ndcount(ActionType), DistinctResources=make_set(ActionType) by AccountObjectId\r\n//AHQ used to detect attacker abusing OAuth application during the attack\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 11 of 15\n\nCloudAppEvents\r\n| where Application == \"Office 365\"\r\n| where ActionType == \"Consent to application.\"\r\n| where RawEventData.ResultStatus =~ \"success\"\r\n| extend UserId = tostring(RawEventData.UserId)\r\n| mv-expand AdminConsent = RawEventData.ModifiedProperties\r\n| where AdminConsent.Name == \"ConsentContext.IsAdminConsent\" and AdminConsent.NewValue == \"True\"\r\n| project ConsentTimestamp =Timestamp, UserId, AccountObjectId, ReportId, ActionType\r\n| join kind = leftouter (CloudAppEvents\r\n| where Application == \"Office 365\"\r\n| where ActionType == \"Add app role assignment to service principal.\"\r\n| extend PermissionAddedTo = tostring(RawEventData.Target[3].ID)\r\n| extend FullAccessPermission = RawEventData.ModifiedProperties\r\n| extend OuthAppName = tostring(FullAccessPermission[6].NewValue) // Find app name\r\n| extend OAuthApplicationId = tostring(FullAccessPermission[7].NewValue) // Find appId\r\n| extend AppRoleValue = tostring(FullAccessPermission[1].NewValue) // Permission Level\r\n| where AppRoleValue == \"full_access_as_app\"\r\n| project PermissionTime=Timestamp, InitiatingUser=AccountDisplayName, OuthAppName,\r\nOAuthApplicationId, AppRoleValue, AccountObjectId, FullAccessPermission\r\n) on AccountObjectId\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post\r\nexploitation activity detailed in this blog in addition to Microsoft Defender detections list above.\r\nfull_access_as_app Granted To Application\r\nPotential SSH Tunnel to AAD Connect Host\r\nSuspicious Sign In by AAD Connect Sync Account\r\nMalicious web application requests linked with Microsoft Defender for Endpoint\r\nWeb Shell Activity\r\nTracking Privileged Account Rare Activity\r\nMass Cloud resource deletions Time Series Anomaly\r\nConsent to Application discovery\r\nOAuth Application Required Resource Access Update\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 12 of 15\n\nRare application consent\r\nCredential added after admin consented to ApplicationNew access credential added to Application or Service\r\nPrincipal\r\nMicrosoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to\r\nautomatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are\r\nnot currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to\r\nhave the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: \r\nhttps://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and prevent\r\nfuture attacks against their systems.\r\nIndicator Type Description\r\n9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff\r\nDEV-1084\r\nransom payload\r\n8thCurse.exe\r\n80bd00c0f6d5e39b542ee6e9b67b1eef97b2dbc6ec6cae87bf5148f1cf18c260\r\nDEV-1084\r\nbatch script\r\n8dd9773c24703e803903e7a5faa088c2df9a4b509549e768f29276ef86ef96ae\r\nDEV-1084\r\nbatch script\r\n486eb80171c086f4d184423ed7e79303ad7276834e5e5529b199f8ae5fc661f2\r\nDEV-1084\r\nbatch script\r\nf1edff0fb16a64ac5a2ce64579d0d76920c37a0fd183d4c19219ca990f50effc\r\nDEV-1084\r\nbatch script\r\n887ae654d69ac5ccb8835e565a449d7716d6c4747dc2fbff1f59f11723244202\r\nDEV-1084\r\nbatch script\r\n3fba459d589cd513d2478fb4ae7c4efd6aa09e62bc3ff249a19f9a233e922061\r\nDEV-1084\r\nbatch script\r\n0dde13e3cd2dcda522eeb565b6374c97b3ed4aa6b8ed9ff9b6224ea97bf2a584\r\nDEV-1084\r\nbatch script\r\nafd16b9ad57eb9c26c8ae347c379c8e2b82361c7bdff5b189659674d5614854c\r\nDEV-1084\r\nbatch script\r\n3e59d36faf2d5e6edf1d881e2043a46055c63b7c68cc08d44cc7fc1b364157eb\r\nDEV-1084\r\nbatch script\r\n786bd97172ec0cef88f6ea08e3cb482fd15cf28ab22d37792e3a86fa3c27c975\r\nDEV-1084\r\nbatch script\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 13 of 15\n\n36c71ce7cd38733eb66f32a8c56acd635680197f01585c5a2a846cc3cb0a8fe2\r\nDEV-1084\r\nbatch script\r\n016967de76382c674b3a1cb912eb85ff642b2ebfe4e107fc576065f172c6ef80\r\nDEV-1084\r\nbatch script\r\n3059844c102595172bb7f644c9a70d77a198a11f1e84539792408b1f19954e18\r\nDEV-1084\r\nbatch script\r\n194.61.121[.]86\r\nCommand and\r\ncontrol\r\nhxxps://pairing[.]rport[.]io/qMLc2Wx\r\nDownload\r\nRport software\r\nfrom it\r\n141.95.22[.]153\r\nCommand and\r\ncontrol\r\n193.200[.]16.3\r\nCommand and\r\ncontrol\r\n192.52.166[.]191\r\nCommand and\r\ncontrol\r\n45.56.162[.]111\r\nCommand and\r\ncontrol\r\n104.194.222[.]219\r\nCommand and\r\ncontrol\r\n192.169.6[.]88\r\nCommand and\r\ncontrol\r\n192.52.167[.]209\r\nCommand and\r\ncontrol\r\nwebstore4tech[.]uaenorth.cloudapp.azure[.]com\r\nCommand and\r\ncontrol\r\nvatacloud[.]com\r\nActor-owned\r\nRport domain\r\n146.70.106[.]89 DEV-1084\r\noperators were\r\nobserved\r\nsending\r\nthreatening\r\nemails to the\r\nvictim after the\r\nattack from\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 14 of 15\n\n146.70.106[.]89,\r\nan IP address\r\npreviously\r\nlinked to\r\nMERCURY\r\nb9cf785b81778e2b805752c7b839737416e3af54f64f1e40e008142e382df0c4\r\nRport Legit\r\nremote access\r\ntool\r\nrport.exe\r\nab179112caadaf138241c43c4a4dccc2e3c67aeb96a151e432cfbafa18a4b436\r\nCustomized\r\nLigolo\r\ntunneling tool\r\n46.249.35[.]243\r\nCommand and\r\ncontrol\r\n45.86.230[.]20\r\nCommand and\r\ncontrol\r\n6485a68ba1d335d16a1d158976e0cbfad7ab15b51de00c381d240e8b0c479f77\r\ndb.ps1\r\nCustomized\r\nScript Backdoor\r\nb155c5b3a8f4c89ba74c5c5c03d029e4202510d0cbb5e152995ab91e6809bcd7\r\ndb.sqlite\r\nCustomized\r\nObfuscated\r\nScript Backdoor\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nMicrosoft Defender Threat Intelligence\r\nCommunity members and customers can find summary information and all IOCs from this blog post in the linked\r\nMicrosoft Defender Threat Intelligence article.\r\nReferences\r\nhttps://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/\r\nhttps://ehorus.com/\r\nhttps://github.com/nicocha30/ligolo-ng\r\nhttps://www.openssh.com/\r\nhttps://github.com/Gerenios/AADInternals/blob/master/AADSyncSettings.ps1#L97\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" ], "report_names": [ "mercury-and-dev-1084-destructive-attack-on-hybrid-environment" ], "threat_actors": [ { "id": "640fc3dc-433d-4244-a85a-21d5135498b2", "created_at": "2025-08-07T02:03:24.71289Z", "updated_at": "2026-04-10T02:00:03.688893Z", "deleted_at": null, "main_name": "COBALT AZTEC", "aliases": [ "DEV-1084 ", "GOLD AZTEC", "Storm-1084 " ], "source_name": "Secureworks:COBALT AZTEC", "tools": [ "DarkBit ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0321f048-2313-42dd-b10c-08a99ae98f2a", "created_at": "2024-02-02T02:00:04.06752Z", "updated_at": "2026-04-10T02:00:03.54849Z", "deleted_at": null, "main_name": "Storm-1084", "aliases": [ "DEV-1084" ], "source_name": "MISPGALAXY:Storm-1084", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434237, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fee7becef17bc8e56a9ae72fff67422bf014f00a.pdf", "text": "https://archive.orkl.eu/fee7becef17bc8e56a9ae72fff67422bf014f00a.txt", "img": "https://archive.orkl.eu/fee7becef17bc8e56a9ae72fff67422bf014f00a.jpg" } }