From a42dc67fb6edc237fe925bab71525ae3d50e717e Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:05 -0800
Subject: [PATCH] [threat-actors] Add Storm-0835

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b8eae0d..26012d3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14707,6 +14707,16 @@
       },
       "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6",
       "value": "Storm-1674"
+    },
+    {
+      "description": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed.com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.",
+      "meta": {
+        "refs": [
+          "https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/"
+        ]
+      },
+      "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2",
+      "value": "Storm-0835"
     }
   ],
   "version": 298