{"id":54351,"date":"2023-10-27T12:43:14","date_gmt":"2023-10-27T12:43:14","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/"},"modified":"2023-10-27T12:43:14","modified_gmt":"2023-10-27T12:43:14","slug":"microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/","title":{"rendered":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit"},"content":{"rendered":"<p>Microsoft&#8217;s latest report on &#8220;one of the most dangerous financial criminal groups&#8221; operating offers security pros an abundance of threat intelligence to protect themselves from its myriad tactics.<\/p>\n<p>The &#8220;unique&#8221; native English-speaking group is tracked by Microsoft as Octo Tempest and in the space of a year has demonstrated a consistent and rapid evolution to become one of the most well-equipped cybercrime groups in existence.<\/p>\n<p>Among its capabilities that aren&#8217;t often possessed by crews of its kind are SMS phishing, SIM swapping, and advanced social engineering \u2013 all skills that are useful for those looking to target English-speaking organizations.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>It&#8217;s perhaps the sell used to convince prominent ransomware outfit ALPHV\/BlackCat to let Octo Tempest join its affiliate program earlier this year. With <a href=\"https:\/\/www.theregister.com\/2023\/10\/25\/seiko_august_breach_update\/\">BlackCat<\/a> believed to have Russian ties, Microsoft said it was a notable move given that Eastern European ransomware groups typically refuse to do business with native English-speaking criminals.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>After initially exploring ransomware as part of its toolset, Octo Tempest originally conducted attacks without dropping an encryption payload, sticking with the data extortion tactics it had adopted starting in late 2022.<\/p>\n<p>It has since branched out into full-scale ransomware attacks and is specifically focusing its efforts on exploiting VMware ESXi Servers, the same kind of attacks that befell MGM Resorts.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Octo Tempest is also tracked using other names by different security companies, such as Crowdstrike&#8217;s <a href=\"https:\/\/www.theregister.com\/2023\/09\/01\/okta_scattered_spider\/\">Scattered Spider<\/a>, and while Microsoft hasn&#8217;t outright pinned Octo Tempest activity to the attacks on MGM, the group has <a href=\"https:\/\/www.theregister.com\/2023\/10\/06\/mgm_resorts_cyberattack_cost\/\">claimed responsibility<\/a> for them.<\/p>\n<p>The group&#8217;s activities look much different now compared to where they started in early 2022, and Microsoft has split its evolution into three phases.<\/p>\n<p>During the first phase, between early and late 2022, Octo Tempest mainly targeted mobile network operators (MNOs) and business process outsourcing organizations using SIM-swapping attacks, selling these to other criminals who could then use them to perform account takeovers and steal cryptocurrency.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>From there it cast its net wider in phase two, targeting telecoms companies as well as email and tech service providers, branching out into data extortion attacks to monetize their intrusions.<\/p>\n<p>Phase three was characterized by the switch to ransomware and another widening of its targets to include organizations in the gaming, hospitality, retail, manufacturing, natural resources, financial services, and tech industries.<\/p>\n<h3 class=\"crosshead\">Octo Tempest&#8217;s key tactics<\/h3>\n<p>Microsoft said Octo Tempest exhibits a wide range of techniques in its attacks that are indicative of a well-organized group consisting of multiple experienced individuals.<\/p>\n<p>Often using its social engineering expertise to gain initial access to its targets&#8217; environments, the group has also in rare cases shown a high degree of aggression and criminality in its approaches.<\/p>\n<p>Octo Tempest has been known to routinely target organizations&#8217; employees and helpdesk staff to achieve its goals.<\/p>\n<p>Group members have seen success in convincing employees to download legitimate remote monitoring tools which are then abused by the criminals to launch attacks, as well as coercing them to malicious login portals to steal their credentials and <a href=\"https:\/\/www.theregister.com\/2023\/05\/09\/microsoft_authenticator_number_matching\/\">multi-factor authentication<\/a> (MFA) session cookies.<\/p>\n<p>In extreme cases, the attackers have been observed sending highly threatening SMS messages to victims in order to persuade them to hand over their corporate credentials, including threats to human life.<\/p>\n<p>The group is known for carrying out extensive research on their targets, learning how to impersonate victims, and mimicking their specific style of speech to appear more convincing on phone calls.<\/p>\n<p>Helpdesk staff have been targeted in the past by an Octo Tempest member attempting to pass themselves off as a new employee to achieve goals such as being legitimately onboarded to the organization&#8217;s IT systems.<\/p>\n<p>The same technique was used to initiate MFA changes and employee password resets, which are also carried out by the group&#8217;s <a href=\"https:\/\/www.theregister.com\/2023\/05\/10\/guilty_plea_twitter_o_connor_case\/\">SIM-swapping attacks<\/a> on occasion.<\/p>\n<p>After gaining initial access, Octo Tempest often engages in discovery missions to gather as much information about a company as possible, including employee onboarding processes, password policies, and remote access methods.<\/p>\n<p>Defenders can look out for PingCastle and ADRecon activity as potential signals of Octo Tempest activity to investigate an organization&#8217;s Active Directory. Govmoni and Pure Storage FlashArray are used to enumerate vCenter APIs and storage arrays respectively. The group often attempts to siphon data from Azure Active Directory related to users, groups, and devices.<\/p>\n<p>It then turns to privilege escalation methods that often hinge on social engineering too, such as convincing a helpdesk staffer to reset a password, or through SIM-swapping attacks to takeover employee accounts.<\/p>\n<p>Open source tooling like Mimikatz, Hekatomb, MicroBurst, Jercretz, TruffleHog, and more are used for a variety of tasks, including the theft of secrets.<\/p>\n<p>This tooling is often allowed to run due to the group&#8217;s compromise of accounts belonging to the target organization&#8217;s security team. The criminals then disable security products and reconfigure mailboxes to delete associated email alerts, use the privileged accounts to steal data that&#8217;s later used to extort the victim, install remote monitoring software, and achieve persistence.<\/p>\n<p>The full list of tooling Octo Tempest uses against its victims is detailed extensively in Microsoft&#8217;s <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/10\/25\/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction\/\" rel=\"nofollow\">report<\/a> on the group, including its &#8220;unorthodox&#8221; tips for proactive threat hunting and configurations for <a href=\"https:\/\/www.theregister.com\/2023\/10\/23\/microsoft_azure_power_issue\/\">Azure<\/a> and <a href=\"https:\/\/www.theregister.com\/2023\/07\/17\/enra_azure_ad_opinion_column\/\">Entra ID<\/a>.<\/p>\n<p>As well as educating their workforce on the sophisticated and diverse threat Octo Tempest presents, organizations were also advised that their typical communication channels may not be safe and out-of-band channels should be considered, where possible.<\/p>\n<p>The big three workplace collaboration platforms \u2013 Slack, Teams, and Zoom \u2013 have all been compromised by the group before to steal incident response plans from calls, as well as general chat logs, which are then fed into tools like Otter for transcription and later used in extortion efforts.<\/p>\n<p>Extra attention should be paid to legitimate remote monitoring tools as these are often abused by the attackers, Microsoft said. While it may not be feasible to block these due to the need for their intended use, the purpose for which they&#8217;re being used should be monitored carefully to avoid the attackers achieving persistence on systems. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/10\/27\/octo_tempest_microsoft\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gang thought to be behind attack on MGM Resorts has a skillset larger than most cybercrime groups in existence Microsoft&#8217;s latest report on &#8220;one of the most dangerous financial criminal groups&#8221; operating offers security pros an abundance of threat intelligence to protect themselves from its myriad tactics.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-54351","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-27T12:43:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit\",\"datePublished\":\"2023-10-27T12:43:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/\"},\"wordCount\":1016,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/\",\"name\":\"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2023-10-27T12:43:14+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-10-27T12:43:14+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit","datePublished":"2023-10-27T12:43:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/"},"wordCount":1016,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/","url":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/","name":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2023-10-27T12:43:14+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZT1WRYrzKborJW75fUUWwQAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-unveils-shady-shenanigans-of-octo-tempest-and-their-cyber-trickery-toolkit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54351"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54351\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}