Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Jingle Thief

Also known asJingle Thief

Jingle Thief is a financially motivated cybercrime group tracked by Palo Alto Networks Unit 42 as cluster CL-CRI-1032. Unit 42 assesses with moderate confidence that the activity overlaps with actors publicly tracked as Atlas Lion and STORM-0539, and attributes the campaign with moderate confidence to Morocco-based attackers active since 2021. The group primarily targets global retailers and consumer services organizations, especially those that rely heavily on cloud-based infrastructure and issue gift cards, with activity noted to increase during holiday periods. The group’s objective is unauthorized issuance of high-value gift cards for resale on gray markets, with reporting stating the fraud has stolen hundreds of thousands of dollars. Jingle Thief operates largely inside Microsoft 365 and related cloud services rather than relying on traditional endpoint malware. Reported tradecraft includes tailored phishing and smishing to steal Microsoft 365 credentials; cloud reconnaissance in SharePoint and OneDrive to identify gift card issuance workflows, ticketing systems, VPN configuration guides, and related internal documentation; and internal phishing from compromised Microsoft 365 accounts, including fake ServiceNow alerts and IT access notifications, to obtain additional or higher-privileged credentials. For persistence and stealth, the actors abuse legitimate Microsoft Entra ID self-service and device-enrollment features, including registering rogue authenticator apps, resetting passwords through self-service flows, and enrolling attacker-controlled devices to retain access even after password resets or session revocation. They also create Exchange inbox forwarding rules for passive monitoring, watch communications related to gift card approvals, financial workflows, and IT ticketing, and hide evidence by moving sent phishing emails and victim replies into Deleted Items. Additional reported techniques include deceptive phishing URLs using the "@" symbol to disguise the true destination, delivery of phishing via self-hosted PHP mailer scripts often on compromised or hijacked WordPress servers, and use of infrastructure and IP space geolocated primarily in Morocco, with occasional use of Mysterium VPN. Unit 42 reported long-dwell intrusions, including one case with approximately 10 months of access and more than 60 compromised user accounts within a single global enterprise. Known aliases and related tracking names directly mentioned in the content are CL-CRI-1032, Atlas Lion, and STORM-0539.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • retail
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Oct 27, 2025
⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

Financially motivated cloud intrusions to obtain access sufficient to issue unauthorized gift cards for resale/monetization.

Read more
dark readingNews
Oct 27, 2025
'Jingle Thief' Highlights Retail Cyber Threats

Morocco-based cybercrime operation conducting large-scale gift card fraud by operating primarily inside victim cloud environments (notably Microsoft 365/Entra ID). Uses credential theft and internal phishing to gain higher privileges, then abuses gift card issuance workflows to generate high-value gift cards for resale; maintains long dwell time via Entra ID self-service abuse (rogue authenticator app/device enrollment).

Read more
security online infoNews
Oct 24, 2025
Jingle Thief Cybercrime Gang Steals Hundreds of Thousands in Gift Card Fraud via Microsoft 365 Identity Abuse

Gift card fraud operation leveraging Microsoft 365 identity abuse to steal hundreds of thousands of dollars.

Read more
foresiet blogNews
Oct 23, 2025
Jingle Thief Gift Card Fraud: How Cloud Account Misuse Became a Pandemic for Retailers

Jingle Thief is a financially motivated threat actor targeting retailers and service providers that issue gift cards. The group specializes in phishing and identity misuse to gain access to cloud accounts, particularly Microsoft 365, and abuses internal workflows to issue or redeem high-value gift cards. Their operations are timed around retail peaks to maximize impact and evade detection.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.