Midnight Blizzard RDP Spearphishing Campaign
Large-scale APT29 spearphishing campaign beginning October 22 2024 targeting government, academia, defence and NGOs across 100+ organisations. Novel use of signed RDP configuration files to connect victims to actor-controlled servers impersonating Microsoft and AWS Zero Trust communications.
Start date
22 October 2024
End date
—
Techniques
16
Attributed actors
Techniques (16)
collection1
T1113Screen Capture
command-and-control4
T1573.001Symmetric Cryptography
T1105Ingress Tool Transfer
T1071.001Web Protocols
T1090.003Multi-hop Proxy
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution2
T1059.003Windows Command Shell
T1059.001PowerShell
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access2
T1078Valid Accounts
T1566.001Spearphishing Attachment
lateral-movement1
T1021.001Remote Desktop Protocol
persistence1
T1078Valid Accounts
privilege-escalation1
T1078Valid Accounts
stealth4
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.