Microsoft Threat Intelligence

The March 2025 security updates are available:

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. This latest variant, the first since 2022, incorporates enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These improvements enable the malware to steal and exfiltrate files as well as system and user information, including digital wallet data and notes, among others. The new XCSSET variant is characterized by its modular design and encoded payloads. It includes improved error handling, and heavily uses scripting languages, UNIX commands, and legitimate binaries. These characteristics allow the malware to maintain a low profile on affected devices and remain fileless whenever possible, making detection and removal more challenging. Additionally, the malware obfuscates its module names at the code level, which could complicate the analysis of its modules' intent. The variant also employs three distinct persistence techniques. Our analysis indicates that some modules in the new variant's code are still under development. Furthermore, the command-and-control (C2) server associated with this variant remains active as of this writing and continues to download additional modules. Given that Xcode is typically used by software developers, we assess that the malware’s mode of infection and propagation leverages on the idea that project files are shared among developers building Apple or macOS-related applications. Learn more about how the latest XCSSET variant’s different modules work together to achieve the malware’s goals and get best practices and mitigation recommendations to defend against this threat. https://msft.it/6042q3YVn

In December 2024, Microsoft Defender Experts discovered a monetizing network of redirectors, scam websites, and pirating stream websites that led to payloads downloaded from GitHub. Further analysis of the infection chain led to uncovering a large-scale malvertising campaign that impacted nearly one million devices globally across a variety of organizations and industries. The team first noticed the initial infection payloads were being downloaded from GitHub and served as a dropper for another Windows executable. The second payload exfiltrated system information. The team found that the campaign had relations to the Donarium malware family, and the command-and-control (C2) infrastructure used known Lumma Stealer domains and IP addresses. The campaign was also observed to be highly prevalent. To disrupt the activity, the Defender Experts team worked with GitHub to takedown the malicious repositories, but the threat actor quickly replicated them. To understand where the attack chain originated from, the team conducted retroactive analysis on the traffic stream to trace the origin of the malicious redirector sites, which were found to be embedded in iframes of illegal streaming and pirating websites. The team also identified a similar campaign where users downloaded tools or software advertised on trusted sites like GitHub and YouTube. These files, masquerading as legitimate software, used the victim devices for cryptocurrency mining. Kajhon Soyini, Senior Security Researcher from Microsoft Defender Experts, shares details on how they discovered, investigated, and disrupted these campaign activities in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo. https://msft.it/6044qySWo Learn more about this discovery, get TTPs to defend systems, and use the provided detection details, IOCs, and hunting guidance to locate related activity by reading this Microsoft Threat Intelligence blog post. https://msft.it/6045qySWU

Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations. Qilin is a ransomware as a service (RaaS) payload used by multiple threat actors, both state-sponsored and cybercriminal groups. Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator. Moonstone Sleet is known for combining many techniques successfully used by other North Korean threat actors as well as unique attack methodologies to target organizations for their financial and cyberespionage objectives. To learn more about Moonstone Sleet, read our blog: https://msft.it/6044qHezG

Microsoft Threat Intelligence detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices worldwide in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts that had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads. Learn more about the redirection chain and various payloads used across the multi-stage attack chain, get TTPs to prepare and defend systems, and use the provided detection details, IOCs, and hunting guidance to locate related activity. https://msft.it/6040qHuRG Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals from Senior Security Researcher Kajhon Soyini on this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo. https://msft.it/6041qHuRH

Silk Typhoon, a Chinese nation state actor that has been active since at least 2021, focuses on espionage campaigns targeting a wide range of industries in the US and throughout the world. Recently, Silk Typhoon has shifted to performing IT supply chain attacks to gain access to targets. Our latest blog dives into theit TTPs and details their use trusted and common IT solutions in their attacks.   In January 2025, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management, cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments. Companies within these sectors are possible targets of interest to the threat actor. The observations below were observed once Silk Typhoon successfully stole the API key: ✅ Silk Typhoon used stolen API keys to access downstream customers/tenants of the initially compromised company. ✅ Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account. ✅ Data of interest overlaps with China-based interests, US government policy and administration, and legal process and documents related to law enforcement investigations. ✅ Additional tradecraft identified included resetting of default admin account via API key, web shell implants, creation of additional users, and clearing logs of actor-performed actions. ✅ Thus far the victims of this downstream activity were largely in government and IT sectors.

🚨 Silk Typhoon Targets IT Supply Chains  🚨 Microsoft has been tracking Silk Typhoon, a China state-sponsored espionage group, since 2020. New intelligence: Silk Typhoon, formerly tracked as HAFNIUM, is a China-based threat actor most recently observed targeting IT supply chains in the US. Today we released a new report in conjunction with Department of Justice action against twelve Chinese nationals that includes mercenary hackers, law enforcement officers, and employees of a private hacking company. This group has been charged in connection with global cyberespionage campaigns. Dive into our latest blog for all the details. Full details in the Microsoft Threat Intelligence blog—link in the comments. ⬇️ #CyberSecurity #ThreatIntelligence #MicrosoftSecurity #DOJ #ThreatActors

Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices. In recent months, Silk Typhoon has shifted to performing IT supply chain attacks to gain access to targets. The threat actor was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments. We’re publishing this blog to raise awareness of Silk Typhoon's recent and long-standing malicious activities, provide mitigation and hunting guidance, and help disrupt operations by the threat actor: https://msft.it/6048q1SM8