Microsoft’s Digital Crimes Unit (DCU) announced last week that it had taken legal action against an Iranian threat actor named Bohrium in connection with a spear-phishing operation.
The hostile collective would target entities in the technology, transportation, government and education sectors in the US, the Middle East and India.
“Bohrium actors create fake profiles on social media, often posing as recruiters,” said Amy Hogan-Burney of the DCU. said in a tweet. “Once personal information was obtained from the victims, Bohrium sent malicious emails containing links that eventually infected their target’s computers with malware.”
according to an ex parte order shared by the tech giant, the purpose of the break-ins was to steal and exfiltrate sensitive information, take control of the infected machines and conduct remote reconnaissance.
To stop Bohrium’s malicious activities, Microsoft said it has 41 “.com”, “.info”, “.live”, “.me”, “.net”, “.org” and “.xyz” domains that were used as command-and-control infrastructure to facilitate the spear-phishing campaign.
The disclosure comes after Microsoft revealed it had identified and disabled malicious OneDrive activity since February 2022 by a previously undocumented threat actor codenamed Polonium.
The incidents, which involved using OneDrive as command-and-control, were part of a larger wave of attacks that the hacking group launched against more than 20 organizations in Israel and Lebanon.