Get insights straight from the experts on the Microsoft Threat Intelligence Podcast. Listen now.
Security Insider
Threat intelligence and actionable insights to stay ahead
Emerging threats
2023 Threat Intelligence Year in Review: Key Insights and Developments
Microsoft Threat Intelligence rounds up the top threat actor trends in techniques, tactics, and procedures (TTPs) from 2023.
Latest News
Intelligence reports
Navigating cyberthreats and strengthening defenses in the era of AI
Intelligence reports
Iran surges cyber-enabled influence operations in support of Hamas
Emerging threats
Feeding from the trust economy: social engineering fraud
Threat actor insights
Microsoft Security is actively tracking threat actors across observed nation state, ransomware, and criminal activities. These insights represent publicly published activity from Microsoft Security threat researchers and provide a centralized catalog of actor profiles from the referenced blogs.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) typically attempts to compromise the personal accounts of individuals through spear phishing and using social engineering to build rapport with victims before targeting them
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Wine tempest
Wine Tempest (formerly PARINACOTA) typically uses human-operated ransomware for attacks, mostly deploying the Wadhrama ransomware. They are resourceful, changing tactics to match their needs and have used compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Storm-0530
A group of actors originating from North Korea that Microsoft tracks as Storm-0530 (formerly DEV-0530) has been developing and using ransomware in attacks since June 2021.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian state sponsored threat actor that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
Diamond Sleet (formerly ZINC) is a threat actor conducting global activities on behalf of the North Korean government. Active since at least 2009, Diamond Sleet is known to target media, defense, information technology, scientific research industries as well as security researchers with a focus on espionage, data theft, financial gain, and network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) typically attempts to compromise the personal accounts of individuals through spear phishing and using social engineering to build rapport with victims before targeting them
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian state sponsored threat actor that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) typically attempts to compromise the personal accounts of individuals through spear phishing and using social engineering to build rapport with victims before targeting them
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian state sponsored threat actor that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Storm-0530
A group of actors originating from North Korea that Microsoft tracks as Storm-0530 (formerly DEV-0530) has been developing and using ransomware in attacks since June 2021.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) typically attempts to compromise the personal accounts of individuals through spear phishing and using social engineering to build rapport with victims before targeting them
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Diamond Sleet
Diamond Sleet (formerly ZINC) is a threat actor conducting global activities on behalf of the North Korean government. Active since at least 2009, Diamond Sleet is known to target media, defense, information technology, scientific research industries as well as security researchers with a focus on espionage, data theft, financial gain, and network destruction.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian state sponsored threat actor that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
Diamond Sleet (formerly ZINC) is a threat actor conducting global activities on behalf of the North Korean government. Active since at least 2009, Diamond Sleet is known to target media, defense, information technology, scientific research industries as well as security researchers with a focus on espionage, data theft, financial gain, and network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Diamond Sleet
Diamond Sleet (formerly ZINC) is a threat actor conducting global activities on behalf of the North Korean government. Active since at least 2009, Diamond Sleet is known to target media, defense, information technology, scientific research industries as well as security researchers with a focus on espionage, data theft, financial gain, and network destruction.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian state sponsored threat actor that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) uses spear-phishing emails with malicious macro attachments that employ remote templates. The primary aim of Aqua Blizzard activities is to gain persistent access to targeted networks, via deployment of custom malware and commercial tools, for the purpose of intelligence collection.
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
Diamond Sleet (formerly ZINC) is a threat actor conducting global activities on behalf of the North Korean government. Active since at least 2009, Diamond Sleet is known to target media, defense, information technology, scientific research industries as well as security researchers with a focus on espionage, data theft, financial gain, and network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Wine tempest
Wine Tempest (formerly PARINACOTA) typically uses human-operated ransomware for attacks, mostly deploying the Wadhrama ransomware. They are resourceful, changing tactics to match their needs and have used compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) used 0-day exploits to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Browse by topic
AI
Security is only as good as your threat intelligence
Business email compromise
Breaking down business email compromise
Ransomware
Protect your organization from ransomware
Meet the Experts
Expert profile: Homa Hayatyfar
Principal Data and Applied Science Manager Homa Hayatyfar describes the use of machine learning models to reinforce defenses, just one of many ways AI is changing the face of security.
Meet the experts
Expert profile
Putting cyber threat intelligence into geopolitical context
Expert profile
Expert advice on cybersecurity's three most persistent challenges
Expert profile
Security researcher Dustin Duran on how to think like an attacker
Explore intelligence reports
2023 Microsoft Digital Defense Report
The latest edition of the Microsoft Digital Defense Report explores the evolving threat landscape and walks through opportunities and challenges as we become cyber resilient.
Maintain practical cyber defense
Cyber hygiene
Basic cyber hygiene prevents 99% of attacks
Threat hunting
Learn the ABCs of Threat Hunting
Cybercrime
Stopping cybercriminals from abusing security tools
Get started
Join Microsoft events
Expand your expertise, learn new skills and build community with Microsoft events and learning opportunities.
Talk to us
Follow Microsoft