Threat Intelligence Tarot
Vol. II · 125
Iran
risk 4/5
The Mirage Locksmith
Cobalt Mirage
DEV-0270 · TunnelVision · Mint Sandstorm subgroup
US municipalitiesIsraeli organizationsHealthcareEducation
Active since ~2020 · Espionage, Disruption, Opportunistic extortion
The Mirage Locksmith turns Microsoft's own locks against the building. BitLocker becomes hostage tape; the recovery key, a ransom note. The tools defenders trusted now ask them to pay.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1486
Data Encrypted for Impact
Impact
T1059.001
PowerShell
Execution
T1078
Valid Accounts
Persistence
T1571
Non-Standard Port
Command and Control
Notable Operations
  • Log4Shell exploitation against US municipalities (2022)
  • ProxyShell and Fortinet vulnerability exploitation
  • BitLocker abuse for ransomware-style extortion
  • Secureworks and Microsoft public attribution (2022)
Defenses
  • BitLocker recovery key escrow to Active Directory or Entra ID
    Microsoft BitLocker Deployment Guide
  • Public-facing application patching SLAs with 0-day mitigations
    CIS Control 7
  • Local administrator password solution (LAPS) for endpoints
    CIS Control 5
  • Incident response playbooks specifically covering encryption-for-extortion
    NIST SP 800-61
Reversed: Their Weakness
BitLocker recovery key escrow (in AD or Entra ID) defeats this operator's leverage entirely. Encryption you control is encryption they cannot weaponize.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Quiet HandNext →The Hungry Banshee
Related Adversaries
The Gate Merchant
Pioneer Kitten
4 shared TTPs
The Gambit
Play
4 shared TTPs
The Self-Encrypting Thorn
Cactus
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.