Threat actors

Microsoft actively discovers and tracks threat actors across observed state-sponsored, ransomware, and criminal activities. Get insights from the 60 nation-state actors, 50 ransomware groups, and hundreds of other attackers we’ve tracked.

Refine Results

Filtered by

Clear All

threat-actors

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

Tailored AI insights from Microsoft Security Copilot

Empower your defenders to detect hidden patterns, harden defenses, and respond to incidents faster with generative AI.

Learn more
May 27, 2025

16 min read

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024.
May 12, 2025

10 min read

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software.
April 8, 2025

7 min read

Exploitation of CLFS zero-day leads to ransomware activity

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
March 13, 2025

10 min read

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.
Go beyond data protection with Microsoft Purview

Govern, protect, and manage all of your data with Microsoft Purview, comprehensive solutions to help give you better visibility and control.

Learn more
March 5, 2025

13 min read

Silk Typhoon targeting IT supply chain

Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.
February 13, 2025

10 min read

Storm-2372 conducts device code phishing campaign

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372.
February 12, 2025

23 min read

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”.
January 16, 2025

7 min read

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group.
Streamline privacy management with Microsoft Priva

Protect and govern personal information, reduce privacy risks, and manage subject rights requests at scale with Microsoft Priva privacy risk management solutions.

Learn more
December 11, 2024

14 min read

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine

Since January 2024, Microsoft has observed Secret Blizzard using the tools or infrastructure of other threat groups to attack targets in Ukraine and download its custom backdoors Tavdig and KazuarV2.
December 4, 2024

16 min read

Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage

Microsoft has observed Secret Blizzard compromising the infrastructure and backdoors of the Pakistan-based threat actor we track as Storm-0156 for espionage against the Afghanistan government and Indian Army targets.
November 22, 2024

10 min read

Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON

At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
October 31, 2024

8 min read

Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network

Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks.