On Thanksgiving eve, a sophisticated threat actor known as Storm-0900 launched a high-volume phishing campaign targeting users across the United States.
Microsoft Threat Intelligence security analysts detected and blocked this coordinated attack consisting of tens of thousands of emails designed to deceive recipients during the holiday period.
The campaign employed two primary social engineering themes that leveraged timely occasions: fake parking ticket notifications and fraudulent medical test results.
By referencing Thanksgiving, the attackers created a sense of urgency and credibility that lowered victims’ suspicion and increased the likelihood of user engagement.
The campaign’s success relied on multiple layers of deception and technical sophistication.
On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients’… pic.twitter.com/mwAFDQpfal— Microsoft Threat Intelligence (@MsftSecIntel) December 2, 2025
Phishing emails contained URLs directing to an attacker-controlled landing page hosted on the malicious domain permit-service[.]top.
The attackers incorporated interactive elements to deceive users further and bypass security measures. The landing page required users to complete a CAPTCHA by dragging a slider.
Fake captcha (Source – X)
This step appeared legitimate to most users but actually served to validate the target’s interaction capability and readiness for malware deployment.
Fake verification (Source – X)
Microsoft Threat Intelligence security analysts and researchers identified that this campaign ultimately led to the deployment of XWorm, a popular modular remote access malware used by many threat actors across the threat landscape.
Following successful user interaction with the phishing page, the malware would be delivered to compromised devices, allowing attackers to establish persistent access and control.
XWorm Infection and Persistence Mechanism
XWorm operates as a modular malware platform, meaning threat actors can load different plugins to perform various tasks on compromised devices.
The malware’s modular architecture makes it particularly dangerous because it allows attackers to customize attacks based on specific objectives.
Once installed, XWorm enables remote access capabilities that permit threat actors to deploy additional malware, steal sensitive data, and maintain long-term persistence on victim systems.
The malware communicates with command-and-control infrastructure, allowing attackers to issue commands remotely and exfiltrate information from compromised machines.
Microsoft successfully disrupted the entire campaign through a combination of email filtering technologies, endpoint protections, and threat intelligence-based preemptive blocking of attacker infrastructure.
This multi-layered defense approach prevented the majority of phishing emails from reaching intended targets and blocked access to malicious domains before users could interact with them.
Organizations should remain vigilant about unusual communications referencing urgent matters and implement strong email security controls during holiday periods when social engineering attempts typically increase.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Storm-0900 Hackers Leveraging Parking Ticket and Medical Test Themes in Massive Phishing Attack appeared first on Cyber Security News.
