Ramin Nafisi

Today we are releasing an in-depth analysis of a #NOBELIUM post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as #FoggyWeb, a passive & highly targeted backdoor capable of remotely exfiltrating sensitive info from a compromised AD FS server.

Join MSTIC‑MIRAGE, MSTIC’s global team of elite malware intelligence, reverse engineering, and security research specialists. Work alongside a world-class team of REs and TI analysts to uncover, analyze, research, track, and disrupt some of the world’s most advanced and consequential cyber threats (US-based candidates with senior-level+ RE experience): apply.careers.microsoft.com/careers/job/19…

New blog post: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. msft.it/6014t902u In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.

RIFT Update ⚡ Automate rustc_hashes.json updates with new Linux & Windows scripts! Easier than ever. 👉 github.com/microsoft/RIFT #CyberSec #MalwareResearch #RIFT

Microsoft Incident Response – Detection and Response Team (DART) uncovered SesameOp, a new backdoor that uses the OpenAI Assistants API for C2. DART shared the findings with OpenAI, who identified and disabled an API key and associated account. msft.it/6012tGbpm SesameOp uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, the backdoor uses compression and encryption. Microsoft and OpenAI jointly investigated the threat actor’s use of the OpenAI Assistants API. This threat does not represent a vulnerability or misconfiguration, but a way to misuse built-in capabilities of the OpenAI Assistants API, which is being deprecated in August 2026. Microsoft and OpenAI continue to collaborate to better understand and disrupt how threat actors attempt to misuse emerging technologies.

Just dropped: my RECON 2025 talk on Rust library recognition in malware! 🦀 Worth a watch if you're into RE or malware research. youtu.be/_JiuYkFzVgg?si… #malware #RIFT #microsoft #reverseengineering #rust

Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. msft.it/6019sS0yx This new XCSSET variant improves browser targeting, clipboard hijacking, and persistence mechanisms. It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealth, and expands data exfiltration capabilities. We shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET. This publication reflects our broader commitment to disrupting attacks and dismantling attacker operations. Alongside our findings, we are sharing actionable detections, recommendations, and best practices to help organizations defend against this threat with confidence.

#PipeMagic is a highly modular backdoor used by the financially motivated threat actor Storm-2460. It masquerades as a legitimate open-source ChatGPT Desktop Application. Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Quality blog by MSTIC malware intelligence, research and analysis (MIRAGE) team: microsoft.com/en-us/security… #pipemagic #mstic #mirage #threatintelligence

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom #ApolloShadow malware. microsoft.com/en-us/security… #ApolloShadow #MSTIC #MIRAGE

🚨 RIFT Update: We’ve boosted our compiler detection! 🛠️ Now with sharper insights into binaries built using GNU, MinGW, and MSVC toolchains. More enhancements are on the way—stay tuned! 🔍✨ #ReverseEngineering #MalwareAnalysis #RIFT #malware #msft github.com/microsoft/RIFT

Today, Microsoft Threat Intelligence Center (#MSTIC) is excited to announce the release of #RIFT, a tool designed to assist software/malware analysts automate the identification of attacker-written code within Rust binaries. Blog: microsoft.com/en-us/security… Tool: github.com/microsoft/RIFT #RIFT #Rust #MSTIC #MIRAGE @hackingump1

Do you find analyzing Rust binaries/malware tedious and unpleasant? You’re not alone! If you’re attending #REcon this year, our own @hackingump1 will be unveiling #RIFT today at 2PM EST (not at REcon? We got you covered, stay tuned). We have been using RIFT internally for some time and it has truly transformed the way we handle and analyze Rust binaries. cfp.recon.cx/recon-2025/tal… #RIFT #Rust #REon25 #MSTIC #MIRAGE

Goodbye #BSOD…Hello #BSOD. theverge.com/news/692648/mi…

In collaboration with Microsoft Threat Intelligence (MSTIC), @SonicWall has identified a deceptive campaign to distribute a modified/patched version of SonicWall’s SSL VPN NetExtender application (dubbed #SilentRoute by MSTIC) that closely resembles the official SonicWall NetExtender software. sonicwall.com/en-us/blog/thr… virustotal.com/gui/file/d883c… #SonicWall #NetExtender #MSTIC #SilentRoute

Microsoft and CrowdStrike are publishing the first version of our joint threat actor mapping, which includes a list of common actors tracked by Microsoft and CrowdStrike and corresponding aliases from each group’s taxonomy. msft.it/6012SlOZi

Microsoft and CrowdStrike are teaming up to create alignment across our threat actor taxonomies, mapping where knowledge of these actors align to enable security professionals to connect insights faster and make decisions with greater confidence. msft.it/6011SlOZ9

Microsoft has discovered worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. msft.it/6011S9JpN