Threat actors

Microsoft actively discovers and tracks threat actors across observed state-sponsored, ransomware, and criminal activities. Get insights from the 60 nation-state actors, 50 ransomware groups, and hundreds of other attackers we’ve tracked.

Refine Results

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

Tailored AI insights from Microsoft Security Copilot
Empower your defenders to detect hidden patterns, harden defenses, and respond to incidents faster with generative AI.
Learn more
January 16

7 min read

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group.
December 11, 2024

14 min read

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine

Since January 2024, Microsoft has observed Secret Blizzard using the tools or infrastructure of other threat groups to attack targets in Ukraine and download its custom backdoors Tavdig and KazuarV2.
December 4, 2024

16 min read

Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage

Microsoft has observed Secret Blizzard compromising the infrastructure and backdoors of the Pakistan-based threat actor we track as Storm-0156 for espionage against the Afghanistan government and Indian Army targets.
November 22, 2024

10 min read

Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON

At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
Go beyond data protection with Microsoft Purview
Govern, protect, and manage all of your data with Microsoft Purview, comprehensive solutions to help give you better visibility and control.
Learn more
October 31, 2024

8 min read

Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network

Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks.
October 29, 2024

13 min read

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors.
October 10, 2024

12 min read

Cyber Signals Issue 8 | Education under siege: How cybercriminals target our schools

This edition of Cyber Signals delves into the cybersecurity challenges facing classrooms and campuses, highlighting the critical need for robust defenses and proactive measures.
September 26, 2024

20 min read

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.
Streamline privacy management with Microsoft Priva
Protect and govern personal information, reduce privacy risks, and manage subject rights requests at scale with Microsoft Priva privacy risk management solutions.
Learn more
August 30, 2024

9 min read

North Korean threat actor Citrine Sleet exploiting Chromium zero-day

Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process.
August 28, 2024

14 min read

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler.
July 25, 2024

11 min read

Onyx Sleet uses array of malware to gather intelligence for North Korea

On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet.
May 30, 2024

9 min read

Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed OT devices

Since late 2023, Microsoft has observed an increase in reports of attacks focusing on internet-exposed, poorly secured operational technology (OT) devices.