Microsoft Warns of Phishing Attacks by Storm-0978 Group Targeting Defense and Government Entities

Estimated read time 3 min read

Microsoft has raised an alert about an ongoing phishing campaign conducted by the cybercriminal group known as Storm-0978. The threat actor, also referred to as RomCom, is primarily targeting defense and government bodies in Europe and North America.

Exploiting Vulnerabilities and Spreading Backdoors

The group is reportedly abusing a security loophole – CVE-2023-36884 – involving a remote code execution vulnerability in Word documents. The lures used in these attacks are related to the Ukrainian World Congress.

Storm-0978, based out of Russia, is known for its ransomware and extortion operations and targeted credential-gathering campaigns, possibly in support of intelligence operations.

The group is the creator and distributor of the RomCom backdoor, which it has been deploying along with the Underground ransomware. The latter is closely related to the Industrial Spy ransomware first observed in May 2022. The most recent campaign involved the use of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

Storm-0978’s Modus Operandi

Storm-0978's Modus Operandi
Storm-0978’s Modus Operandi

The group often uses phishing operations with lures related to Ukrainian political affairs, targeting military and government bodies in Europe. They distribute backdoors to target organizations and steal credentials for future operations.

Tools used by Storm-0978 include trojanized versions of popular software such as Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. They register malicious domains mimicking the legitimate software for hosting the trojanized installers.

Their ransomware activity, contrastingly, is opportunistic and separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

Storm-0978 lure document with Ukrainian World Congress and NATO content | Picture by Microsoft TI team
Storm-0978 lure document with Ukrainian World Congress and NATO content | Picture by Microsoft TI team

Trojanizing Popular Software

The group is notorious for its Trojan horse-style attacks where they infiltrate systems using trojanized versions of popular, legitimate software. This leads to the installation of RomCom and the subsequent compromise of the system. The group has primarily targeted Ukrainian government and military organizations but has also struck at entities in Europe and North America. The ransomware attacks have majorly impacted the telecommunications and finance industries.

Microsoft’s Recommendations

Microsoft recommends enabling cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus products to counter rapidly evolving attacker tools and techniques. Running EDR in block mode can remediate malicious artifacts detected post-breach. Also, enabling investigation and remediation in full automated mode allows Microsoft Defender for Endpoint to take immediate action on alerts.

Attack surface reduction rules should be turned on to prevent common attack techniques used in ransomware attacks. These include blocking process creations from PsExec and WMI commands, and blocking executable files from running unless they meet a prevalence, age, or trusted list criterion.

For CVE-2023-36884 specific recommendations, organizations can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation if they cannot use Microsoft Defender for Office 365.


  • Get the IOC and Technical details from the official Microsoft coverage (Link)
  • Microsoft TI team tweeting on RomCom (Link)
  • Report by Blackberry on RomCom (Link)
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author