Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Microsoft warns of BadPilot campaign

Microsoft identifies the BadPilot campaign linked to Seashell Blizzard (APT44). Learn how this sophisticated attack exploits vulnerabilities.

14-02-2025 - 5 minute read. Posted in: cybercrime.

Microsoft warns of BadPilot campaign

Microsoft identifies BadPilot: A cyber threat from Seashell Blizzard

Microsoft’s Threat Intelligence team has exposed a new cyber threat in the form of the 'BadPilot' campaign, orchestrated by Seashell Blizzard (also known as APT44). This long-standing threat actor, with strong ties to Russian state-sponsored hacking groups, has been carrying out cyberattacks against the energy, telecommunications, and government sectors in both the United States and the United Kingdom for years.

A sophisticated and persistent threat

According to Microsoft, Seashell Blizzard operates with a multi-year strategy, using advanced phishing attacks and compromised VPN connections to infiltrate organizations. The BadPilot campaign, a central component of this campaign, employs remote access techniques to gain control over compromised systems.

Microsoft’s analysis reveals that BadPilot is designed to be lightweight and difficult to detect, making it a highly effective weapon for threat actors. Once deployed, the malware provides attackers with remote access to networks and systems, allowing them to conduct reconnaissance, extract data, and potentially set the stage for more destructive cyberattacks.

Who is Seashell Blizzard?

Seashell Blizzard, also known as APT44, is an advanced persistent threat (APT) group believed to be closely connected to the Russian government. The group has been operating for years, conducting targeted attacks on critical infrastructure and high-profile organizations in the West. Their attack patterns suggest a strategic approach, where they not only infiltrate systems but also establish long-term access for future use.

Seashell Blizzard is particularly known for exploiting well-documented software vulnerabilities to gain initial access to organizational networks. The group has also been linked to destructive cyberattacks in Ukraine since 2023, focusing on institutions of geopolitical importance. According to Microsoft’s analysis, this group follows a long-term strategy, seeking to maintain access and expand their attack surface over time.

Exploited vulnerabilities

Seashell Blizzard exploits known vulnerabilities in widely used software to gain access to target systems. According to Microsoft, the following vulnerabilities have been actively used in the BadPilot campaign:

  • OpenFire (CVE-2023-32315)

  • JBOSS (CVE unknown)

  • Microsoft Outlook (CVE-2023-23397)

  • Microsoft Exchange (CVE-2021-34473)

  • Zimbra Collaboration (CVE-2022-41352)

  • JetBrains TeamCity (CVE-2023-42793)

  • Fortinet FortiClient EMS (CVE-2023-48788)

  • Connectwise ScreenConnect (CVE-2024-1709)

By leveraging these vulnerabilities, hackers can gain an initial foothold into a network, escalate their privileges, steal credentials, and ultimately take full control over critical systems.

Sustained access and covert operations

Microsoft’s research highlights that Seashell Blizzard is not just focused on initial access but on maintaining long-term control over compromised systems. The group employs tools such as remote management software and web shells to remain undetected. Their methods include:

  • Deploying legitimate remote management tools, such as Atera Agent and Splashtop Remote Services, to mimic authorized activity.

  • Installing web shells, ensuring continued access to servers even after vulnerabilities are patched.

  • Credential harvesting and DNS manipulation, allowing them to steal login information and redirect traffic without raising suspicion. Learn more about the top strategies to prevent credential harvesting and how to safeguard your credentials from cyber threats.

  • Using custom-built tools like ShadowLink, which configures compromised systems as hidden services on the Tor network, making their activities harder to trace.

Targeted attacks on critical infrastructure

Seashell Blizzard has a track record of attacking organizations vital to national infrastructure. Microsoft’s report indicates that the group has previously compromised the energy and utility sectors, highlighting the severity of their threat. Their ongoing operations suggest a continued interest in infiltrating key organizations in the West, possibly preparing for future cyber disruptions or espionage.

How organizations can protect themselves

Microsoft recommends that organizations adopt the following security measures to defend against BadPilot and similar threats:

  • Zero trust architecture: Implementing a Zero Trust approach minimizes the risk of compromised accounts.

  • Strong multi-factor authentication (MFA): MFA significantly reduces the risk of phishing-based attacks. Learn why MFA is essential for protecting your accounts.

  • Monitoring VPN access: Organizations should ensure that VPN connections are secured and actively monitored. Dive into our glossary to understand what a VPN is and how it enhances security.

  • System Updates: Regular security updates and patches help prevent the exploitation of known vulnerabilities.

  • Advanced threat detection: AI-driven monitoring solutions can help identify suspicious activity before an attack escalates.

Moxso’s analysis: The bigger picture

Seashell Blizzard’s tactics align with a growing trend in state-sponsored cyber warfare. The persistence, sophistication, and adaptability of groups like APT44 highlight the importance of proactive security measures. This campaign serves as another reminder that cybersecurity is not just about reacting to threats but anticipating and preventing them.

For organizations, the key takeaway is clear: cyber hygiene must be a continuous process, not a one-time effort. Adopting a security-first mindset, combined with robust detection systems and swift response strategies, is essential in the modern threat landscape. However, technology alone is not enough—employees remain one of the biggest security risks. Ensuring that staff understand security best practices and recognize threats is just as critical as implementing technical defenses. A well-informed workforce can significantly reduce the risk of human errors that often lead to breaches. Learn more about how Moxso can help your organization strengthen employee awareness and build a resilient security culture with our phishing simulation and awareness training.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

MetaStealer: An insidious cyber threat
malware

MetaStealer: An insidious cyber threat

We take a closer look at the insidious MetaStealer that can move into your systems without your anti-virus programs detecting it.

01-12-2023 · 9 min.
How to spot online scams
cybercrime

How to spot online scams

For individuals and businesses, there are a lot of benefits to e-commerce. Unfortunately, there are also some drawbacks, and one of the big ones is fraud.

04-07-2022 · 7 min.
The ultimate defense guide against spear phishing
phishing

The ultimate defense guide against spear phishing

Spear phishing is a more advanced and hazardous type of cybercrime. Learn how to protect yourself from it in this ultimate guide.

23-01-2024 · 5 min.