{"id":133039,"date":"2024-01-17T09:00:00","date_gmt":"2024-01-17T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=133039"},"modified":"2025-07-23T05:57:37","modified_gmt":"2025-07-23T12:57:37","slug":"new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/01\/17\/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs\/","title":{"rendered":"New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs"},"content":{"rendered":"\n

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.<\/p>\n\n\n\n

Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets\u2019 environments, activity that might help the group persist in a compromised environment and better evade detection.<\/p>\n\n\n\n

Mint Sandstorm (which overlaps with the threat actor tracked by other researchers as APT35 and Charming Kitten) is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps (IRGC)<\/a>, an intelligence arm of Iran\u2019s military. Microsoft attributes the activity detailed in this blog to a technically and operationally mature subgroup<\/a> of Mint Sandstorm that specializes in gaining access to and stealing sensitive information from high-value targets. This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran.<\/p>\n\n\n\n

These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it\u2019s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum.<\/p>\n\n\n\n

In this blog, we share our analysis of the new Mint Sandstorm tradecraft and provide detection, hunting, and protection information. Organizations can also use the mitigations included in this blog to harden their attack surfaces against the tradecraft observed in this and other Mint Sandstorm campaigns. These mitigations are high-value measures that are effective ways to defend organizations from multiple threats, including Mint Sandstorm, and are useful to any organization regardless of their threat model.<\/p>\n\n\n\n

\n\t
\n\t\t

\n\t\t\tGet the latest Microsoft Threat Intelligence updates\t\t<\/h2>\n\t\t

\n\t\t\t\t\t\t\t\n\t\t\t\t\t\tJump to social\t\t\t\t\t\t\t\u2197<\/a>\n\t\t\t\t\t<\/p>\n\t<\/div>\n<\/div>\n\n\n\n

New Mint Sandstorm tradecraft<\/h2>\n\n\n\n

Microsoft observed new tactics, techniques, and procedures (TTPs) in this Mint Sandstorm campaign, notably the use of legitimate but compromised email accounts to send phishing lures, use of the Client for URL (curl) command to connect to Mint Sandstorm\u2019s command-and-control (C2) server and download malicious files, and delivery of a new custom backdoor, MediaPl.<\/p>\n\n\n\n

Social engineering<\/h3>\n\n\n\n

In this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable news outlet. In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war. In other cases, Mint Sandstorm used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any malicious content.<\/p>\n\n\n\n

This tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the use of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with targets and establish a level of trust before attempting to deliver malicious content to targets. Additionally, it\u2019s likely that the use of legitimate but compromised email accounts, observed in a subset of this campaign, further bolstered Mint Sandstorm\u2019s credibility, and might have played a role in the success of this campaign.<\/p>\n\n\n\n

Delivery<\/h3>\n\n\n\n

If targets agreed to review the article or document referenced in the initial email, Mint Sandstorm followed up with an email containing a link to a malicious domain. In this campaign, follow up messages directed targets to sites such as cloud-document-edit[.]onrender[.]com,<\/em> a domain hosting a RAR archive (.rar<\/em>) file that purported to contain the draft document targets were asked to review. If opened, this .rar<\/em> file decompressed into a double extension<\/a> file (.pdf.lnk<\/em>) with the same name. When launched, the .pdf.lnk <\/em>file ran a curl command to retrieve a series of malicious files from attacker-controlled subdomains of glitch[.]me<\/em> and supabase[.]co<\/em>.<\/p>\n\n\n\n

Microsoft observed multiple files downloaded to targets\u2019 devices in this campaign, notably several .vbs<\/em> scripts. In several instances, Microsoft observed a renamed version of NirCmd<\/a>, a legitimate command line tool that allows a user to carry out a number of actions on a device without displaying a user interface, on a target\u2019s device.<\/p>\n\n\n\n

Persistence<\/h3>\n\n\n\n

In some cases, the threat actor used a malicious file, Persistence.vbs<\/em>, to persist in targets\u2019 environments. When run, Persistence.vbs<\/em> added a file, typically named a.vbs<\/em>, to the CurrentVersionRun<\/em> registry key. In other cases, Mint Sandstorm created a scheduled task to reach out to an attacker-controlled supabase[.]co<\/em> domain and download a .txt<\/em> file.<\/p>\n\n\n

\"Intrusion
Figure 1. Intrusion chain leading to backdoors observed in the ongoing Mint Sandstorm campaign<\/em><\/figcaption><\/figure>\n\n\n\n

Collection<\/h3>\n\n\n\n

Activity observed in this campaign suggests that Mint Sandstorm wrote activity from targets\u2019 devices to a series of text files, notably one named documentLoger.txt.<\/em><\/p>\n\n\n\n

In addition to the activity detailed above, in some cases, Mint Sandstorm dropped MischiefTut or MediaPl, custom backdoors.<\/p>\n\n\n\n

MediaPl backdoor<\/h3>\n\n\n\n

MediaPl is a custom backdoor capable of sending encrypted communications to its C2 server. MediaPl is configured to masquerade as Windows Media Player, an application used to store and play audio and video files. To this end, Mint Sandstorm typically drops this file in C:\\Users\\[REDACTED] \\AppData\\Local\\Microsoft\\Media Player\\MediaPl.dll<\/em>. When MediaPl.dll is run with the path of an image file provided as an argument, it launches the image in Windows Photo application and also parses the image for C2 information. Communications to and from MediaPl\u2019s C2 server are AES CBC encrypted and Base64 encoded. As of this writing, MediaPl can terminate itself, can pause and retry communications with its C2 server, and launch command(s) it has received from the C2 using the _popen function<\/a>.<\/p>\n\n\n\n

MischiefTut<\/h3>\n\n\n\n

MischiefTut<\/a> is a custom backdoor implemented in PowerShell with a set of basic capabilities. MischiefTut can run reconnaissance commands, write outputs to a text file and, ostensibly, send outputs back to adversary-controlled infrastructure. MischiefTut can also be used to download additional tools on a compromised system.<\/strong><\/p>\n\n\n\n

Implications<\/h3>\n\n\n\n

The ability to obtain and maintain remote access to a target\u2019s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system. Compromise of a targeted system can also create legal and reputational risks for organizations affected by this campaign. In light of the patience, resources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to update and augment our detection capabilities to help customers defend against this threat.<\/p>\n\n\n\n

Recommendations<\/h2>\n\n\n\n

Microsoft recommends the following mitigations to reduce the impact of activity associated with recent Mint Sandstorm campaigns.<\/p>\n\n\n\n