Ramin Nafisi

Today we are releasing an in-depth analysis of a #NOBELIUM post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as #FoggyWeb, a passive & highly targeted backdoor capable of remotely exfiltrating sensitive info from a compromised AD FS server.

Another quality technical blog from #MIRAGE, this time on Secret Blizzard’s beloved #Kazuar malware. This blog is an in-depth analysis of Kazuar’s progression from a single, monolithic framework into a modular bot ecosystem composed of three distinct module types, each with clearly defined roles. Together, these components distribute functionality across the P2P botnet, enabling flexible configuration, lower observability, and broad tasking while minimizing opportunities for detection. microsoft.com/en-us/security…

Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. microsoft.com/en-us/security…

Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure small-office and home internet equipment like routers to conduct DNS hijacking and adversary-in-the-middle attacks microsoft.com/en-us/security…

Join MSTIC‑MIRAGE, MSTIC’s global team of elite malware intelligence, reverse engineering, and security research specialists. Work alongside a world-class team of REs and TI analysts to uncover, analyze, research, track, and disrupt some of the world’s most advanced and consequential cyber threats (US-based candidates with senior-level+ RE experience): apply.careers.microsoft.com/careers/job/19…

New blog post: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. msft.it/6014t902u In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.

RIFT Update ⚡ Automate rustc_hashes.json updates with new Linux & Windows scripts! Easier than ever. 👉 github.com/microsoft/RIFT #CyberSec #MalwareResearch #RIFT

Microsoft Incident Response – Detection and Response Team (DART) uncovered SesameOp, a new backdoor that uses the OpenAI Assistants API for C2. DART shared the findings with OpenAI, who identified and disabled an API key and associated account. msft.it/6012tGbpm SesameOp uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, the backdoor uses compression and encryption. Microsoft and OpenAI jointly investigated the threat actor’s use of the OpenAI Assistants API. This threat does not represent a vulnerability or misconfiguration, but a way to misuse built-in capabilities of the OpenAI Assistants API, which is being deprecated in August 2026. Microsoft and OpenAI continue to collaborate to better understand and disrupt how threat actors attempt to misuse emerging technologies.

Just dropped: my RECON 2025 talk on Rust library recognition in malware! 🦀 Worth a watch if you're into RE or malware research. youtu.be/_JiuYkFzVgg?si… #malware #RIFT #microsoft #reverseengineering #rust

Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. msft.it/6019sS0yx This new XCSSET variant improves browser targeting, clipboard hijacking, and persistence mechanisms. It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealth, and expands data exfiltration capabilities. We shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET. This publication reflects our broader commitment to disrupting attacks and dismantling attacker operations. Alongside our findings, we are sharing actionable detections, recommendations, and best practices to help organizations defend against this threat with confidence.

#PipeMagic is a highly modular backdoor used by the financially motivated threat actor Storm-2460. It masquerades as a legitimate open-source ChatGPT Desktop Application. Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Quality blog by MSTIC malware intelligence, research and analysis (MIRAGE) team: microsoft.com/en-us/security… #pipemagic #mstic #mirage #threatintelligence

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom #ApolloShadow malware. microsoft.com/en-us/security… #ApolloShadow #MSTIC #MIRAGE

🚨 RIFT Update: We’ve boosted our compiler detection! 🛠️ Now with sharper insights into binaries built using GNU, MinGW, and MSVC toolchains. More enhancements are on the way—stay tuned! 🔍✨ #ReverseEngineering #MalwareAnalysis #RIFT #malware #msft github.com/microsoft/RIFT

Today, Microsoft Threat Intelligence Center (#MSTIC) is excited to announce the release of #RIFT, a tool designed to assist software/malware analysts automate the identification of attacker-written code within Rust binaries. Blog: microsoft.com/en-us/security… Tool: github.com/microsoft/RIFT #RIFT #Rust #MSTIC #MIRAGE @hackingump1

Do you find analyzing Rust binaries/malware tedious and unpleasant? You’re not alone! If you’re attending #REcon this year, our own @hackingump1 will be unveiling #RIFT today at 2PM EST (not at REcon? We got you covered, stay tuned). We have been using RIFT internally for some time and it has truly transformed the way we handle and analyze Rust binaries. cfp.recon.cx/recon-2025/tal… #RIFT #Rust #REon25 #MSTIC #MIRAGE

Goodbye #BSOD…Hello #BSOD. theverge.com/news/692648/mi…

In collaboration with Microsoft Threat Intelligence (MSTIC), @SonicWall has identified a deceptive campaign to distribute a modified/patched version of SonicWall’s SSL VPN NetExtender application (dubbed #SilentRoute by MSTIC) that closely resembles the official SonicWall NetExtender software. sonicwall.com/en-us/blog/thr… virustotal.com/gui/file/d883c… #SonicWall #NetExtender #MSTIC #SilentRoute