Examining Global Cyber Espionage Tactics: Forest Blizzard and Sapphire Sleet

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers Anna Seitz and Megan Stalling to unpack new intelligence on the BadPilot Campaign, a sophisticated operation by a subgroup of Seashell Blizzard—also known as APT-44, Iridium, or Sandworm.  

The team explores how this subgroup, active since 2021, uses opportunistic access, remote management tools, and Tor based ShadowLink infrastructure to maintain covert control of compromised systems. They also examine trends across threat actor ecosystems, how tactics evolve through shared influence, and why network detection remains a key battleground in defending against persistent global threats. 

In this episode you’ll learn:      

• How evolving network detection is helping stop threat actors 

• Why Seashell Blizzard targets industrial control systems 

• When fake Zoom links and meeting invites are used to lure victims into engagement 

Some questions we ask:     

• Have North Korean hackers improved at social engineering lately? 

• What’s this subgroup’s main goal when it comes to network attacks? 

• Why would a group like this use such basic tactics instead of more advanced ones? 

Resources:  

View Megan Stalling on LinkedIn  

View Anna Seitz on LinkedIn  

View Sherrod DeGrippo on LinkedIn  

BadPilot Campaign, Seashell Blizzard  

How Microsoft Names Threat Actors  

Related Microsoft Podcasts:                   

• Afternoon Cyber Tea with Ann Johnson 

• The BlueHat Podcast 

• Uncovering Hidden Risks     

Discover and follow other Microsoft podcasts at microsoft.com/podcasts  

Get the latest threat intelligence insights and guidance at Microsoft Security Insider 

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.