{ "id": "5b7aec3a-288f-4a2a-a9a6-6620218f622a", "created_at": "2026-04-06T00:18:21.127759Z", "updated_at": "2026-04-10T03:34:03.086394Z", "deleted_at": null, "sha1_hash": "ff2cb89a90d5ca4888d4162c02360608ffa37484", "title": "Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 522735, "plain_text": "Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-08-28 · Archived: 2026-04-02 12:06:39 UTC\r\nBetween April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying\r\na new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in\r\nthe satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United\r\nStates and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence\r\ngathering objectives and represents the latest evolution of their long-standing cyber operations.\r\nPeach Sandstorm also continued conducting password spray attacks against the educational sector for\r\ninfrastructure procurement and against the satellite, government, and defense sectors as primary targets for\r\nintelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering\r\ntargeting organizations within the higher education, satellite, and defense sectors via the professional networking\r\nplatform LinkedIn.\r\nMicrosoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps\r\n(IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach\r\nSandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.\r\nMicrosoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted\r\nor compromised, providing them with the necessary information to help secure their environment. As part of our\r\ncontinuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach\r\nSandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft and to educate\r\norganizations on how to harden their attack surfaces against this and similar activity. Microsoft published\r\ninformation on unrelated election interference linked to Iran in the most recent Microsoft Threat Analysis Center\r\n(MTAC) report.\r\nEvolution of Peach Sandstorm tradecraft\r\nIn past campaigns, Peach Sandstorm has been observed to use password spray attacks to gain access to targets of\r\ninterest with a high level of success. The threat actor has also conducted intelligence gathering via LinkedIn,\r\nresearching organizations and individuals employed in the higher education, satellite, and defense sectors.\r\nDuring the group’s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs)\r\nfollowing initial access via password spray attacks or social engineering. Between April and July 2024, Peach\r\nSandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in\r\nfraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Microsoft continuously\r\nmonitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 1 of 14\n\nMicrosoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts\r\nassociated with this activity.\r\nFigure 1. Peach Sandstorm attack chain\r\nIntelligence gathering on LinkedIn\r\nGoing back to at least November 2021 and continuing through mid-2024, Microsoft observed Peach Sandstorm\r\nusing multiple LinkedIn profiles masquerading as students, developers, and talent acquisition managers based in\r\nthe US and Western Europe. Peach Sandstorm primarily used them to conduct intelligence gathering and possible\r\nsocial engineering against the higher education, satellite sectors, and related industries. The identified LinkedIn\r\naccounts were subsequently taken down. Information on LinkedIn’s policies and actions against inauthentic\r\nbehavior on its platform is available here.\r\nPassword spray attacks as a common attack vector\r\nSince at least February 2023, Microsoft has observed Peach Sandstorm carrying out password spray activity\r\nagainst thousands of organizations. In password spray attacks, threat actors attempt to authenticate to many\r\ndifferent accounts using a single password or a list of commonly used passwords. In contrast to brute force\r\nattacks, which target a single account using many passwords, password spray attacks help adversaries maximize\r\ntheir chances for success and minimize the likelihood of automatic account lockouts.\r\nMicrosoft has observed that once Peach Sandstorm has verified a target account’s credentials using the password\r\nspray technique, the threat actor performed subsequent sign-ins to the compromised accounts from commercial\r\nVPN infrastructure.\r\nIn April and May 2024, Microsoft observed Peach Sandstorm conducting password spray attacks targeting\r\norganizations in the defense, space, education, and government sectors in the US and Australia. In particular,\r\nPeach Sandstorm continued to use the “go-http-client” user agent that they are known to leverage in password\r\nspray campaigns. While the password spray activity appeared consistently across sectors, Microsoft observed\r\nPeach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 2 of 14\n\ninfrastructure. In these cases, the threat actor accessed existing Azure subscriptions or created one using the\r\ncompromised account to host their infrastructure. The attacker-controlled Azure infrastructure then served as C2\r\nor operational hops for Peach Sandstorm operations targeting the government, defense, and space sectors. Recent\r\nupdates to security defaults in Azure, such as multi-factor authentication help ensure that Azure accounts are more\r\nresistant to account compromise techniques such as those used by Peach Sandstorm.\r\nTickler malware\r\nMicrosoft Threat Intelligence identified two samples of the Tickler malware, a custom multi-stage backdoor, that\r\nPeach Sandstorm deployed in compromised environments as recently as July 2024. The first sample was\r\ncontained in an archive file named Network Security.zip alongside benign PDF files used as decoy documents. The\r\narchive file contained:\r\nYAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe – theTickler malware\r\nYahsat Policy Guide- April 2024.pdf – a benign PDF\r\nYAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf – a second benign PDF\r\nYAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe is a 64-bit C/C++ based\r\nnative PE file. The sample begins with a Process Environment Block (PEB) traversal to locate the in-memory\r\naddress of file kernell32.dll.\r\nUpon successful PEB traversal yielding the address of kernell32.dll in memory, the sample decrypts a string to\r\nLoadLibraryA and resolves its address, decrypts the string “kernel32.dll”, and loads it again using LoadLibraryA.\r\nThe sample then launches the benign PDF file YAHSAT\r\nNETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf as a decoy document.\r\nThe sample collects the network information from the host and sends it to the C2 URI via HTTP POST request,\r\nlikely as a means for the threat actor to orient themselves on the compromised network. The below network\r\ninformation is an example generated in a lab environment:\r\nFigure 2. Network information collected by Tickler after deployment on target host\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 3 of 14\n\nWe subsequently observed Peach Sandstorm iterating and improving on this initial sample. The second Tickler\r\nsample, sold.dll, is a Trojan dropper functionally identical to the previously identified sample. The malware\r\ndownloads additional payloads from the C2 server, including a backdoor, a batch script to set persistence for this\r\nbackdoor, and the following legitimate files:\r\nmsvcp140.dll (SHA-256: dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8)\r\nLoggingPlatform.dll (SHA-256:\r\n56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6)\r\nvcruntime140.dll (SHA-256: 22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4)\r\nMicrosoft.SharePoint.NativeMessaging.exe (SHA-256:\r\ne984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5)\r\nThe files msvcp140.dll, LoggingPlatform.dll, vcruntime140.dll, and Microsoft.SharePoint.NativeMessaging.exe\r\nare legitimate Windows signed binaries likely used for DLL sideloading.\r\nAdditionally, we observed the sample downloading the following malicious files:\r\nA batch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)\r\nA DLL file (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)\r\nA DLL file (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)\r\nThe batch script adds a registry Run key for a file called SharePoint.exe, likely used to load the malicious DLL\r\nfiles above, thus setting up persistence:\r\nFigure 3. Registry Run key added to set up persistence\r\nThe two DLL files are both 64-bit C/C++ compiled PE DLL files and appear to be functionally identical to the\r\npreviously analyzed samples. As fully functional backdoors, they can run the following commands:\r\nsysteminfo – Gather system information\r\ndir – List directory\r\nrun – Execute command\r\ndelete – Delete file\r\ninterval – Sleep interval\r\nupload – Download file from the C2\r\ndownload – Upload file to the C2\r\nAzure resources abuse\r\nMicrosoft observed Peach Sandstorm creating Azure tenants using Microsoft Outlook email accounts and creating\r\nAzure for Students subscriptions in these tenants. Additionally, the group leveraged compromised user accounts in\r\nthe Azure tenants of organizations in the education sector to do the same. Within these subscriptions, Peach\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 4 of 14\n\nSandstorm subsequently created Azure resources for use as C2 for the backdoor. Of note, we have observed\r\nmultiple Iranian groups, including Smoke Sandstorm, use similar techniques in recent months. The following\r\nresources were created by Peach Sandstorm for use as Tickler C2 nodes:\r\nsubreviews.azurewebsites[.]net \r\nsatellite2.azurewebsites[.]net \r\nnodetestservers.azurewebsites[.]net \r\nsatellitegardens.azurewebsites[.]net \r\nsoftwareservicesupport.azurewebsites[.]net\r\ngetservicessuports.azurewebsites[.]net\r\ngetservicessupports.azurewebsites[.]net \r\ngetsupportsservices.azurewebsites[.]net \r\nsatellitespecialists.azurewebsites[.]net\r\nsatservicesdev.azurewebsites[.]net\r\nservicessupports.azurewebsites[.]net\r\nwebsupportprotection.azurewebsites[.]net \r\nsupportsoftwarecenter.azurewebsites[.]net\r\ncentersoftwaresupports.azurewebsites[.]net\r\nsoftwareservicesupports.azurewebsites[.]net\r\ngetsdervicessupoortss.azurewebsites[.]net\r\nPost-compromise activity\r\nIn the past year, Peach Sandstorm has successfully compromised several organizations, primarily in the\r\naforementioned sectors, using bespoke tooling. Once Peach Sandstorm gains access to an organization, the threat\r\nactor is known to perform lateral movement and actions on objectives using the following techniques:\r\nMoving laterally via Server Message Block (SMB)\r\nAfter compromising a European defense organization, Peach Sandstorm threat actors moved laterally via SMB.\r\nSMB lateral movement is a technique used by threat actors to move from one compromised machine to another\r\nwithin a network by exploiting the SMB protocol. This protocol, which is used for sharing files, printers, and other\r\nresources on a network, could be misused by attackers to propagate their access and gain control over multiple\r\nsystems.\r\nDownloading and installing a remote monitoring and management (RMM) tool\r\nIn an older intrusion against a multinational pharmaceutical company not associated with the campaign discussed\r\nin this blog, after a likely successful password spray attack, Peach Sandstorm attempted to download and install\r\nAnyDesk, a commercial RMM tool. AnyDesk has a range of capabilities that allow users to remotely access a\r\nnetwork, persist in a compromised environment, and enable command and control. The convenience and utility of\r\na tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments\r\nwhere it is used legitimately by IT support personnel or system administrators.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 5 of 14\n\nIn at least one intrusion against a Middle East-based satellite operator, Peach Sandstorm actors compromised a\r\nuser using a malicious ZIP file delivered via Microsoft Teams message followed by dropping AD Explorer and\r\ntaking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files,\r\nwhich can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat\r\nactors for malicious purposes.\r\nMitigations\r\nTo harden networks against Peach Sandstorm activity, defenders can implement the following:\r\nReset account passwords for any accounts targeted during a password spray attack. If a targeted account\r\nhad system-level permissions, further investigation may be warranted. \r\nRevoke session cookies in addition to resetting passwords. \r\nRevoke any MFA setting changes made by the attacker on any compromised users’ accounts. \r\nRequire re-challenging MFA for MFA updates as the default. \r\nImplement the Azure Security Benchmark and general best practices for securing identity infrastructure,\r\nincluding:  \r\nCreate conditional access policies to allow or disallow access to the environment based on defined\r\ncriteria. \r\nBlock legacy authentication with Microsoft Entra by using Conditional Access. Legacy\r\nauthentication protocols don’t have the ability to enforce multifactor authentication (MFA), so\r\nblocking such authentication methods will help prevent password spray attackers from taking\r\nadvantage of the lack of MFA on those protocols. \r\nEnable AD FS web application proxy extranet lockout to protect users from potential password\r\nbrute force compromise. \r\nSecure accounts with credential hygiene: \r\nPractice the principle of least privilege and audit privileged account activity in your Microsoft Entra\r\nenvironments to help slow and stop attackers.  \r\nDeploy Microsoft Entra Connect Health for Active Directory Federation Services (AD FS). This\r\ncaptures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky\r\nIP report. \r\nUse Microsoft Entra password protection to help detect and block known weak passwords and their\r\nvariants. \r\nTurn on identity protection in Microsoft Entra to monitor for identity-based risks and create policies\r\nfor risky sign ins. \r\nComply with the recent MFA enforcement policy requiring all Azure accounts to utilize MFA. Keep MFA\r\nalways-on for privileged accounts and apply risk-based MFA for normal accounts.\r\nConsider transitioning to a passwordless primary authentication method, such as Azure MFA,\r\ncertificates, or Windows Hello for Business. \r\nSecure remote desktop protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against\r\npassword spray or brute force attacks.\r\nTo protect against password spray attacks, implement the following mitigations:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 6 of 14\n\nEliminate insecure passwords.\r\nEducate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.\r\nReset account passwords for any accounts targeted during a password spray attack. If a targeted account\r\nhad system-level permissions, further investigation may be warranted.\r\nDetect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.\r\nInvestigate compromised accounts using Microsoft Purview Audit (Premium).\r\nEnforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain\r\nServices.\r\nUse risk detections for user sign-ins to trigger multifactor authentication or password changes.\r\nInvestigate any possible password spray activity using the password spray investigation playbook.\r\nStrengthen endpoints against attacks by following these steps:\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to help cover rapidly evolving attacker tools and techniques. \r\nEnable real-time protection in Microsoft Defender Antivirus or the equivalent for your antivirus product. \r\nDetect and block potentially unwanted applications through Microsoft Defender for Endpoint. \r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nhelp block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nhelp remediate malicious artifacts that are detected post-compromise. \r\nTurn on attack surface reduction rules to help prevent common attack techniques:  \r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion  \r\nBlock execution of potentially obfuscated scripts \r\nImplement anomaly detection policies in Microsoft Defender for Cloud Apps. \r\nEnable protections in Microsoft Defender for Endpoint to help safeguard against malicious sites and\r\ninternet-based threats. \r\nNetwork protection \r\nWeb protection \r\nEnable tamper protection within Microsoft Defender for Endpoint to help prevent threat actors from\r\ndisabling or changing security features, such as virus and threat protection.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects components of this threat as the following malware:\r\nTrojanDownloader:Win64/Tickler\r\nBackdoor:Win64/Tickler\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 7 of 14\n\nPeach Sandstorm actor activity detected\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be\r\nalso triggered by unrelated threat activity.\r\nPassword spraying\r\nUnfamiliar Sign-in properties\r\nAn executable file loaded an unexpected DLL file\r\nMicrosoft Defender for Identity\r\nThe following Microsoft Defender for Identity alerts can indicate activity related to this threat. Note, however, that\r\nthese alerts can be also triggered by unrelated threat activity.\r\nAtypical travel\r\nSuspicious behavior: Impossible travel activity\r\nMicrosoft Defender for Cloud Apps\r\nThe following Microsoft Defender for Cloud Apps alerts can indicate activity related to this threat. Note, however,\r\nthat these alerts can be also triggered by unrelated threat activity.\r\nActivity from a Tor IP address\r\nSuspicious Administrative Activity\r\nImpossible travel activity\r\nMultiple failed login attempts\r\nActivity from an anonymous proxy\r\nThreat intelligence reports\r\nMicrosoft Defender Threat Intelligence customers can use the following reports in Microsoft products to get the\r\nmost up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These\r\nreports provide the intelligence, protection information, and recommended actions to help prevent, mitigate, or\r\nrespond to associated threats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nAbuse of remote monitoring and management tools\r\nDLL sideloading and DLL search order hijacking\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 8 of 14\n\nFailed logon activity\r\nThe following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP.\r\nAttackers distribute attacks from multiple IP addresses across a single service provider to evade detection. Run\r\nquery \r\nIdentityLogonEvents\r\n| where Timestamp \u003e ago(4h)\r\n| where ActionType == \"LogonFailed\"\r\n| where isnotempty(AccountObjectId)\r\n| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress\r\n= dcount(IPAddress) by ISP\r\n| where TargetCount \u003e= 100\r\n| where TargetCountry \u003e= 5\r\n| where TargetIPAddress \u003e= 25\r\nConnectivity to C2s\r\nThe following queries identifies connectivity to Peach Sandstorm created Azure App Service apps for command\r\nand control. Run query\r\nlet domainList = dynamic([\"subreviews.azurewebsites.net\",\r\n\"satellite2.azurewebsites.net\",\r\n\"nodetestservers.azurewebsites.net\",\r\n\"satellitegardens.azurewebsites.net\",\r\n\"softwareservicesupport.azurewebsites.net\",\r\n\"getservicessuports.azurewebsites.net\",\r\n\"getservicessupports.azurewebsites.net\",\r\n\"getsupportsservices.azurewebsites.net\",\r\n\"satellitespecialists.azurewebsites.net\",\r\n\"satservicesdev.azurewebsites.net\",\r\n\"servicessupports.azurewebsites.net\",\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 9 of 14\n\n\"websupportprotection.azurewebsites.net \",\r\n\"supportsoftwarecenter.azurewebsites.net\",\r\n\"centersoftwaresupports.azurewebsites.net\"\r\n\"softwareservicesupports.azurewebsites.net\",\r\n\"getsdervicessupoortss.azurewebsites.net\"]);union\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\n| project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks =\r\nparse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 10 of 14\n\n| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames),\r\nSourceTable = \"VMConnection\"\r\n),\r\n(\r\nW3CIISLog\r\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\n| where UrlDomain has_any(domainList)\r\n| project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 11 of 14\n\n| order by TimeGenerated desc\r\nMalicious file activity\r\nThe following query will surface events involving malicious files related to this activity. Run query\r\nlet fileHashes = dynamic([\"711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350\",\r\n\"fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f\",\r\n\"5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b\",\r\n\"ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4\",\r\n\"7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198\"]);\r\nunion\r\n(\r\nDeviceFileEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceFileEvents\"\r\n),\r\n(\r\nDeviceEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceEvents\"\r\n),\r\n(\r\nDeviceImageLoadEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceImageLoadEvents\"\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where SHA256 in (fileHashes)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 12 of 14\n\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceProcessEvents\"\r\n)\r\n| order by Timestamp desc\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nSignin Password Spray\r\nNew Location Azure AD Sign Ins\r\nEnumeration of users \u0026 groups for lateral movement\r\nSMB shares Discovery\r\nAnomaly in SMB Traffic\r\nAnyDesk Net Connection\r\nAnyDesk – File Signature\r\nAnyDesk – Create Process\r\nDCSync Attack Detection\r\nIndicators of compromise\r\nDomains\r\nsubreviews.azurewebsites[.]net \r\nsatellite2.azurewebsites[.]net \r\nnodetestservers.azurewebsites[.]net \r\nsatellitegardens.azurewebsites[.]net \r\nsoftwareservicesupport.azurewebsites[.]net\r\ngetservicessuports.azurewebsites[.]net\r\ngetservicessupports.azurewebsites[.]net \r\ngetsupportsservices.azurewebsites[.]net \r\nsatellitespecialists.azurewebsites[.]net\r\nsatservicesdev.azurewebsites[.]net\r\nservicessupports.azurewebsites[.]net\r\nwebsupportprotection.azurewebsites[.]net \r\nsupportsoftwarecenter.azurewebsites[.]net\r\ncentersoftwaresupports.azurewebsites[.]net\r\nsoftwareservicesupports.azurewebsites[.]net\r\ngetsdervicessupoortss.azurewebsites[.]net\r\nTickler samples and related indicators\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 13 of 14\n\nYAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe (SHA-256: \r\n7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198)\r\nSold.dll (SHA-256: ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4)\r\nBatch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)\r\nMalicious DLL (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)\r\nMalicious DLL (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-int\r\nelligence-gathering-operations/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/" ], "report_names": [ "peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434701, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff2cb89a90d5ca4888d4162c02360608ffa37484.pdf", "text": "https://archive.orkl.eu/ff2cb89a90d5ca4888d4162c02360608ffa37484.txt", "img": "https://archive.orkl.eu/ff2cb89a90d5ca4888d4162c02360608ffa37484.jpg" } }