Defenders should watch for an archive file named Network Security.zip, which includes an .exe with the Tickler malware, and for a Trojan dropper named sold.dll.

Here’s another example of Peach Sandstorm tactics detailed by Microsoft: After hacking into a European defense organization, the gang moved laterally using the Windows SMB (Server Message Block) protocol. This protocol, which is used for sharing files, printers, and other resources on a network, has been misused by many threat actors. Microsoft offers this advice to network admins for preventing SMB from being used as an attack tool.

In another attack, against a Middle East-based satellite operator, Peach Sandstorm compromised a user using a malicious ZIP file delivered via a Microsoft Teams message, followed by dropping Active Directory (AD) Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat actors for malicious purposes.