Sophos X-Ops’ Managed Detection and Response (MDR) team is actively engaging with incidents linked to two distinct groups of threat actors. Both groups have exploited the functionalities of Microsoft’s Office 365 platform to infiltrate targeted organizations with the potential intent of pilfering data and launching ransomware attacks.
Investigations into these two distinct sets of activities began in November and December of 2024 in response to incidents reported by Sophos MDR customers. The threats are identified as STAC5143 and STAC5777. In their attacks, both threat actors utilized their own Microsoft Office 365 service accounts and leveraged a default configuration in Microsoft Teams enabling external domain users to initiate chats or meetings with internal users.
STAC5777’s operations have intersected with a threat group previously mentioned by Microsoft as Storm-1811. Conversely, STAC5143 represents a previously unreported threat cluster mirroring the tactics of Storm-1811, with potential ties to known threat actors like FIN7, Sangria Tempest, or Carbon Spider.
This detailed report on both threat clusters is being made public to assist defenders in identifying and thwarting these ongoing threats. It aims to raise awareness regarding the rampant adoption of these methods by organizations utilizing the Office 365 platform. Sophos MDR has logged over 15 incidents involving these strategies in the past quarter, half of which occurred within the last fortnight.
Key strategies include:
- Deluge of emails— directed at individual mailboxes in the organization, with high volumes of spam messages (up to 3,000 in less than an hour) to overwhelm and create a sense of urgency
- Sending messages via Teams and initiating voice and video calls posing as IT support from a compromised Office 365 account to target employees
- Utilizing Microsoft’s remote control tools— Quick Assist or Teams screen sharing—to remotely access a target’s computer and deploy malware
STAC5143:
- Built-in remote control via Teams
- Utilization of Java Archive (JAR) and Java runtime to automate exploitation of the victim’s computer
- JAR extracts Python-based backdoors from a .zip file retrieved from a remote SharePoint link
- Employment of techniques and tools linked to FIN7
STAC5777:
- Utilization of Microsoft Quick Assist
- Configuration changes and deployment of malware through hands-on-keyboard activity
- Installation of a genuine Microsoft updater containing a malicious side-loading DLL for persistence, credential theft, and network resource reconnaissance
- Use of RDP and Windows Remote Management to access other machines within the targeted network
- Deployment of Black Basta Ransomware in one instance
- Strategies, tools, and procedures overlapped with those of the threat actor Storm-1811 identified by Microsoft
- Significant level of activity
This report provides an exhaustive analysis of the methodologies employed by both threat clusters, which adhere to different variants of the same attack pattern: overwhelming with emails, impersonating tech support, delivering malware, exploiting legitimate Office 365 services, and executing command and control maneuvers along with data extraction tools.
We have strong confidence that both sets of malicious activities are affiliated with extortion attempts for ransomware and data theft.
STAC5143
In the two documented attacks observed by Sophos, some of the malware deployed by this threat cluster showed similarities to those used by FIN7, as noted by eSentire and Sekoia. Nonetheless, several aspects of this attack chain differed from conventional FIN7-style operations. FIN7 has typically relied on phishing or, more recently, malicious sponsored Google Ads to deliver malware. In contrast, this attack targeted smaller organizations across diverse industry sectors.
Chain of Attack
Initial Infiltration
Early in November, an employee at a Sophos MDR client organization reported an unusual surge in spam messages—over 3,000 within 45 minutes. Subsequently, they received a Teams call from an external account labeled “Help Desk Manager.” Given that the organization outsourced IT services to a managed provider, the employee did not view the call as suspicious and accepted a video call.
During the call, the threat actor instructed the employee to grant remote screen control via Teams. This remote access allowed the attacker to execute commands, drop files, and install malware from an external SharePoint resource. The files included Java archive (JAR) files and a .zip archive comprising Python scripts and other components.
Initial Execution Phase
The threat actor ran the JAR file during the remote session using a copy of javaw.exe, a headless Java runtime devoid of console output.
| Process | Command Line | Outcome / MITRE ATT&CK TTP |
| cmd.exe | “C:Windowssystem32cmd.exe” | |
| ► javaw.exe | C:UsersPublicDocumentsMailQueue-Handlerjdk-23.0.1binjavaw.exe -jar C:UsersPublicDocumentsMailQueue-HandlerMailQueue-Handler.jar | TA0011: Command and Control – T1090: Proxy |
Through the Java-based proxy in MailQueue-Handler.jar, the attacker identified the javaw.exe process ID using the Windows Management Instrumentation command line utility (WMIC.exe). Subsequently, the attacker altered the code page for the active console window to “65001” to facilitate UTF-8 encoding for multilingual support. This tactic likely combined with PowerShell execution policy bypass to execute encoded commands and evade AMSI detection.
| Process | Command Line | Outcome / MITRE ATT&CK TTP |
| ►► WMIC.exe | wmic process where “name=’java.exe’” | Fetches ID of any running Java runtime process |
| ►► WMIC.exe | wmic process where “name=’javaw.exe’” | Retrieves ID of any running headless Java runtime process |
| ►► cmd.exe | cmd.exe /c chcp 65001 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command – | TA0002: Execution- T1059.001: PowerShell |
| ►►► chcp.com | chcp 65001 | UTF-8 encoding activation | ►►► command prompt | command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – |
Subsequently, the JavaScript script initiated a sequence of Command Prompt directives that retrieved a compressed 7zip file and the 7zip compression tool. The tool was then employed to extract the contents of the compressed file— a ProtonVPN application and a harmful DLL (named nethost.dll) that was loaded alongside the Proton program.
| Method | Instruction Set | MITRE ATT&CK TTP |
| ►►► command prompt | command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – | Acquires na.7z, a 7zip archive |
| ►►► command prompt | command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – | Acquires 7za.dll, a 7zip utility dynamic link library |
| ►►► command prompt | command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – | Acquires 7za.exe, the 7zip utility executable |
Revelation
The intruder then retrieved the username of the target using whoami.exe, and identified the network assets accessible to the user through the net user directive.
| Method | Instruction Set | MITRE ATT&CK TTP |
| ►►►► whoami.exe | “C:Windowssystem32whoami.exe” | |
| ►►►► net.exe | “C:Windowssystem32net.exe” user [username] /domain | TA0002: Execution – T1059.001: PowerShell TA0007: Revelation – T1049: System Network Connections Revelation |
| ►►►►► net1.exe | C:Windowssystem32net1 user [username] /domain |
Parallel Load / Directive and Oversight
The JavaScript script then initiated the loading of the ProtonVPN application to incorporate nethost.dll, establishing connections to virtual private servers situated in Russia, Netherlands, and the US. Such activity triggered behavioral detections within Sophos endpoint protection, flagging an unauthenticated DLL load.
| Method | Instruction Set | RESULT/ MITRE ATT&CK TTP |
| ►►►► ProtonVPN.exe | “C:userspublicdownloadsProtonVPN.exe” | Connects to 207.90.238[.]99
TA0002: Execution – T1059.001: PowerShell |
| ►►►► ProtonVPN.exe | “C:userspublicdownloadsProtonVPN.exe” | Connects to 206.206.123.75
TA0002: Execution – T1059.001: PowerShell |
| ►►►► ProtonVPN.exe | “C:userspublicdownloadsProtonVPN.exe” | Connects to 109.107.170[.]2
TA0002: Execution – T1059.001: PowerShell |
| ►►►► ProtonVPN.exe | “C:userspublicdownloadsProtonVPN.exe” | Connects to 195.133.1[.]117
TA0002: Execution – T1059.001: PowerShell |
The code from the JAR file subsequently initiated another instance of cmd.exe, again configuring it for UTF-8, and executed a different Java .jar file (identity.jar) using javaw.exe, passing the target user’s username and Active Directory domain as arguments to the succeeding Java script.
| Method | Instruction Set | RESULT/ MITRE ATT&CK TTP |
| ►► command prompt | command prompt /c chcp 65001 > NUL & command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – | |
| ►►► chcp.com | chcp 65001 | |
| ►►► command prompt | command prompt -ApplyPermissions Ignore -NoExit -HideProfile -Action – | |
| ►►►► whoami.exe | “C:Windowssystem32whoami.exe” | |
| ►►►► whoami.exe | “C:Windowssystem32whoami.exe” | |
| ►►►► javaw.exe | “C:UsersPublicDocumentsMailQueue-Handlerjdk-23.0.1binjavaw.exe” -jar C:UsersPublicDocumentsMailQueue-Handleridentity.jar [domain][username] |
An hour later, the tar.exe archival utility was utilized by the subsequent Java load to unpack files from the transferred document winter.zip into C:ProgramData. This initiated the deployment of a Python harmful payload. Furthermore, a series of directives were executed to discover local users and networks—acquiring information regarding network domain servers and their IP addresses.
| Method | Instruction Set | RESULT/ MITRE ATT&CK TTP |
| ►►►► tar.exe | “C:Windowssystem32tar.exe” -xf C:ProgramDatawinter.zip -C :ProgramData | Extracts Python payload and supporting files |
| ►►►► net.exe | “C:Windowssystem32net.exe” time | |
| ►►►►► net1.exe | C:Windowssystem32net1 time | Displays the time and date on the target device |
| ►►►► nltest.exe | “C:Windowssystem32nltest.exe” /dclist:[domain].local | Returns a list of domain controllers
TA0007: Revelation – T1018: Remote System Revelation |
| ►►►► nltest.exe | “C:Windowssystem32nltest.exe” /dclist:[domain].local | TA0007: Revelation – T1018: Remote System Revelation TA0007: Revelation – T1482: Domain Trust Revelation |
| ►►►► PING.EXE | “C:Windowssystem32PING.EXE” [domain controller hostname].[domain].local | Getting IP address of domain controller
TA0007: Revelation – T1018: Remote System Revelation |
| ►►►► PING.EXE | “C:Windowssystem32PING.EXE” [domain controller hostname].[domain].local | Getting IP address of second domain controller
TA0007: Revelation – T1018: Remote System Revelation |
| ►►►► ipconfig.exe | “C:Windowssystem32ipconfig.exe” /all | Getting local network configuration information
TA0007: Revelation – T1018: Remote System Revelation |
Conclusively, the Java secondary stage code executed the harmful Python payload, utilizing a Python interpreter present in the transferred files, renamed as debug.exe. The Python scripts were then executed.
released had a series of hidden entryways.
| Procedure | Command Syntax | OUTCOME/ MITRE ATT&CK TTP |
| ►►►► debug.exe | “C:ProgramDatawinterdebug.exe” C:ProgramDatawinter45_237_80.py | TA0002: Execution – sT1059.001: PowerShell TA0011: Command and Control – T1071.001: Web Protocols TA0011: Command and Control – T1105: Ingress Tool Transfer |
Scrutiny of Malware
The Python code in the winter.zip payload utilized a lambda function (a brief, nameless disposable function employed in conjunction with code) to obscure the remainder of its script. This obfuscating lambda function corresponded to those previously identified in FIN7-related Python malware loaders.
Two of the Python constituents (166_65.py and 45_237_80.py ) were replicas of a publicly-accessible reverse SOCKS proxy known as RPivot. Crafted as a genuine tool for penetration testers, RPivot Each of these Python scripts utilized distinct IP addresses for their remote . These hidden entryways accepted commands from the remote connection via port 80. Another script (37_44.py) was an RPivot script used to link to a Tor relay.
Recognition
Sophos evaluates with moderate certainty that the Python malware employed in this assault is affiliated with the threat actors connected to FIN7/Sangria Tempest. The obfuscation tactic mirrors previous instances and FIN7 has employed the RPivot tool in offenses before. Nevertheless, it is notable that the obfuscation tactics employed are derived from openly accessible code, RPivot is likewise publicly accessible, and FIN7 has formerly marketed its utilities to other malefactors.
STAC5777
Similar to STAC5143, a small number of individuals at targeted establishments have been inundated with a substantial volume of junk emails, followed by an inbound communication from someone purporting to belong to their internal IT team via Microsoft Teams.
The communication via Teams—from the adversaries responsible for the junk messages— solicited a Teams conversational session to address the junk problems. Unlike the scenarios of STAC5143 we have witnessed, STAC5777 undertakings leaned much more on actions directly initiated by the threat actors through “hands-on-keyboard” maneuvers than STAC5143.
Initial entry
In each of the documented incidents by Sophos MDR, the adversary guided the user through the installation process of Microsoft Quick Assist during the Teams dialogue. This was utilized to establish a remote session granting the threat actor dominance over the targeted individual’s equipment.
One of the clientele setups had Sophos Office 365 integration configured, enabling MDR to confirm that the perpetrator deployed an Office365 account ‘helpdesk@llladminhlpll.onmicrosoft.com’ from the IP address 78.46.67[.]201 to launch these messages.
The threat actor directed the user through the setup and execution of the Microsoft remote access utility Quick Assist. The user was instructed to seek the application on the internet, download it from the official Microsoft website, and then initiate it. Subsequently, they were instructed through enabling the threat actor to have authority over the device remotely.
Figure 3: Microsoft Teams activity initiated by threat actor controlling an external M365 tenant
Upon gaining control over the device, the actor employed a web browser to retrieve the malevolent payload. In a certain instance, the payload was downloaded directly from the threat actor-regulated host. In the remaining cases, it was divided into two payloads: kb641812-filter-pack-2024-1.dat and kb641812-filter-pack-2024-2.dat, subdomains of blob.core.windows[.]net (hosts associated with Microsoft Azure file storage services). They subsequently amalgamated the two .dat files into a designated pack.zip and then decompressed that archive employing the tar.exe archive utility.
This resulted in the formation of another archive file in the users’ AppData directory at OneDriveUpdateupd2836a.bkt The threat actor then decompressed that file with inscribing files into the same OneDriveUpdate folder:
- The legitimate, Microsoft-endorsed executable OneDriveStandaloneUpdaexe
- Unsigned DLLs from the OpenSSL Toolkit (libcrypto-3-x64.dll and libssl-3-x64.dll), loaded by the OneDriveStandaloneUpdater executable
- A legitimate, authorized copy of vcruntime140.dll, a Microsoft library mandatory for OneDriveStandaloneUpdater.exe
- An unidentified DLL, winhttp.dll
- A file christened settingsbackup.dat
SophosLabs assessed winhttp.dll and confirmed it to be malignant. It contained falsified version details from a legitimate ESET file and had been renamed to facilitate its concurrent loading into memory by the authentic executable due to DLL search order hijacking. The DLL was capable of collecting:
- System
- OS details
- Config details
- User credentials
- Utilizing the Windows API functions GetKeyboardState, GetKeyState, and get_KeySize.
The exact nature of the file settingsbackup.dat could not be determined by SophosLabs. However, it is believed to be an encrypted payload accessed by the process operating the side-loaded DLL and functioning as a secondary loader.
Upon placement of the files on the affected host, Sophos MDR witnessed the threat actor initiating a command prompt and executing the following Windows registry modification using the reg.exe utility:
reg add "HKLMSOFTWARETitanPlus" /v 1 /t REG_SZ /d "185.190.251.16:443;207.90.238.52:443;89.185.80.86:443" /f
The entries in the registry key contained IP addresses used for the command-and-control connections established by the malicious winhttp.dll code.
Persistency
Following manual configuration changes made through a command shell via the Quick Assist connection and the initial launch of the legitimate ‘OneDriveStandaloneUpdater.exe’ executable, the attacker proceeded to execute a PowerShell command to establish an automatic service for running the exploited executable. Additionally, the PowerShell command generated a .lnk file for the executable in the devices’ startup items directory to sustain persistency post-reboot.
Execution
Upon execution, onedrivestandaloneupdate.exe side-loaded winhttp.dll, a loader embedded with a backdoor. The loader retrieved configuration details provided by the attacker, which included a file named settingsbackup.dat, and connected to multiple IP addresses manually added to the system’s configuration by the threat actor.
Initial Quick Access action
| Parent process | Command line |
| C:WindowsSystem32RuntimeBroker.exe-Embedding | C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” -single-argument microsoft-edge:?url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3DQuick%2BAssist%26filte |
| C:windows|system32svchost.exe-k netsvcs-p-s Appinfo | C.Program Files|WindowsAppsMicrosoftCorporationll.QuickAssist_2.0.32.0_x64_8wekyb3d8bbweMicrosoft.RemoteAssistance.QuickAssistQuickAssist.exe |
| C: windowsExplorer.EXE | C:WindowsSystem32cmd.exe |
| C:WindowsSystem32cmd.exe | tar xf pack.zip -C “C:Users<username>AppDataLocalOneDriveUpdate |
| C:WindowsSystem32cmd.exe | C:Users<username>AppDataLocalOneDriveUpdateOneDriveStandaloneUpdater.exe -Embedding |
Command and Control
By utilizing the unsigned OpenSSL toolkit drivers, the OneDriveStandaloneUpdate process established encrypted command-and-control connections to a series of remote hosts. The IP addresses of these hosts included a virtual private server previously utilized by Russia-based threat actors.
Initial execution of OneDriveStandaloneUpdater.exe connecting to C2 IP addresses
| Process | Action | object |
| cmd.exe | start | C:Users<username>AppDataLocalOneDriveUpdateOneDriveStandaloneUpdater.exe |
| OneDriveStandaloneUpdater.exe | Binary file read | C:Users<username>AppDataLocalOneDriveUpdatewinhttp.dll |
| loads image into memory | C:Users<username>AppDataLocalOneDriveUpdatewinhttp.dll | |
| File read | C:Users<username>AppData LocalOneDriveUpdatesettingsbackup.dat | |
| IP connects to | 74.178.90[.]36:443 | |
| Ip connects to | 195.123.241[.]24:443 |
Discovery
Upon the establishment of the C2 channel, the Sophos MDR team observed the OneDriveStandaloneUpdater.exe process conducting scans utilizing the SMB protocol to map online hosts within the customer’s environment. Additionally, the threat actor scanned for Remote Desktop Protocol and Windows Remote Management (WinRM) hosts that could be accessed using the targeted user’s credentials within the network.
Lateral Movement
Employing the targeted user’s credentials, the threat actor attempted to broaden access beyond the initially compromised system, seeking domain access that could be exploited to move to other hosts. In one scenario, they leveraged a targeted individual’s domain credentials to establish a connection to the organization’s VPN from an external network and then logged into RDP hosts within the network. In another case, they used Windows Remote Management (WinRM) for lateral movement.
Defense Evasion
In an instance, Sophos MDR observed the threat actor utilizing the backdoor to uninstall local multifactor authentication integration on the target device. On another occasion, the threat actor unsuccessfully tried to uninstall the Sophos Endpoint Agent—a thwarted action due to Sophos’ tamper protection.
Credential harvesting and data exfiltration
Prior to containment, Sophos MDR also detected the actor accessing files locally through notepad.exe and Word that contained the word ‘password’ in the document name.
In one specific case, the threat actors utilized the utility mstsc.exe to access two Remote Desktop Protocol (.rdp) files for viewing and modifying their configuration data, looking for potential credential storage.
Sophos MDR also witnessed the threat actors accessing a network diagram created in Visio for a targeted organization, presumably for planning further lateral movement and subsequent phases of the attack.
Impact
In a threat hunt across all Sophos MDR customers, the threat actors attempted to deploy Black Basta ransomware in one instance, which was successfully prevented by Sophos endpoint protection.
Conclusions
Sophos has implemented detections for the malware utilized in these campaigns, which include:
- STAC5143: ATK/RPivot-B, Python/Kryptic.IV, heuristic detection of Python malicious use of OS libraries
- STAC5777: Troj/Loader-DV for STAC5777’s winhttp.dll
Nevertheless, organizations should take additional measures to counter attacks based on these methodologies. Initially, except when essential, organizations should ensure their O365 service provisions restrict Teams calls from external organizations or limit that capacity to trusted business partners. Moreover, remote access applications such as Quick Assist should be controlled by policy unless explicitly required by the organization’s technical support team. Sophos can prevent unwanted execution of Quick Assist via application control settings in endpoint protection.
Sophos strongly suggests the utilization of Microsoft Office 365 integration with the security environment for overseeing potential sources of malevolent inbound Teams or Outlook traffic.
Organizations should also enhance employee awareness regarding these tactics—these are typically not covered in anti-phishing training. Employees should be cognizant of their actual technical support team and stay cautious of tactics aimed at inducing a sense of urgency, which such social-engineering attacks rely on.
A comprehensive list of indicators of compromise for these campaigns can be found in the Sophos GitHub repository.
About Author
