Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files


Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors.

This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection. Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft.

Read more…
Source: Microsoft


Sign up for our Newsletter


Related:

  • URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader

    December 18, 2018

    As ransomware and banking trojans captured the interest – and profits – of the world with their destructive routines, cybersecurity practitioners have repeatedly published online and offline how cybercriminals have compartmentalized their schemes through exchange of information and banded professional organizations. As a more concrete proof of the way these symbiotic relationships and work flows intersect, we discovered a connection between EMOTET, URSNIF, DRIDEX and BitPaymer from open source information and ...

  • Russia-Linked Sofacy Debuts Fresh Zebrocy Malware Variant

    December 18, 2018

    The group continues to evolve its custom malware in an effort to evade detection. The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy (a.k.a. APT28, Fancy Bear or Sednit) – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go ...

  • Charming Kitten Iranian Espionage Campaign Thwarts 2FA

    December 17, 2018

    The campaign targets politicians involved in economic and military sanctions against Iran, along with various journalists and human rights activists. A range of political and civil society targets are under fire in an APT attack dubbed the Return of Charming Kitten. The campaign has been tailored to get around two-factor authentication in order to compromise email ...

  • Fileless GandCrab As Seen by SandBlast Agent

    December 17, 2018

    January 2018 saw the debut of the GandCrab ransomware, a well-known malware that is distributed on the Dark Web which targets mainly Scandinavian and English-speaking countries. In addition, the GandCrab Affiliate Program offers low skilled threat actors the opportunity to run their own ransomware campaigns. Delivered mainly through email spam engines, affiliates are also provided with advice and ...

  • Cybercriminals Use Malicious Memes that Communicate with Malware

    December 14, 2018

    Steganography, or the method used to conceal a malicious payload inside an image to evade security solutions, has long been used by cybercriminals to spread malware and perform other malicious operations. We recently discovered malicious actors using this technique on memes. The malware authors have posted two tweets featuring malicious memes on October 25 and 26 ...

  • Electric Vehicle Charging Stations Open to IoT Attacks

    December 14, 2018

    Flaws could allow an attacker to stop or start a home charging station, or even change the current in order to start a fire. Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category ...