State-Sponsored Actors Operationalize ROADtools Framework in Cloud Campaigns

This report analyzes the ROADtools cloud attack toolkit, which attackers use to enumerate Entra ID, manipulate authentication tokens (via a module called roadtx), register rogue devices, and replay session assets to bypass MFA and maintain persistence. The toolkit leverages legitimate Microsoft APIs to blend into normal traffic and has been observed in campaigns attributed to APT groups (e.g., Cloaked Ursa, Curious Serpens) and a phishing wave in early 2025; the report recommends updating hunting queries, monitoring unusual user-agent strings and unauthorized device registrations, and improving visibility of cloud identity transactions.