[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnL8CaK6eeETkRKaWsKobl_NNXVL05n9YkG9od01Th9A":3},{"article":4,"iocs":58},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"7e4c1055-b549-468a-bc83-221964220535","Paved With Intent: ROADtools and Nation-State Tactics in the Cloud","paved-with-intent-roadtools-and-nation-state-tactics-in-the-cloud-251b6f","Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use.","ROADtools, an open-source Python framework for red-teaming and Azure\u002FEntra ID security research, is being weaponized by nation-state threat actors including Midnight Blizzard and Void Blizzard for cloud attacks. The tool enables enumeration of Entra ID resources, device registration, and token manipulation while evading detection by leveraging legitimate Microsoft APIs and customizable user-agent strings. Palo Alto Networks Unit 42 provides detection queries and mitigation recommendations to help defenders identify and prevent ROADtools misuse in their environments.","Nation-state actors misuse ROADtools for Azure Entra ID enumeration and token manipulation in cloud intrusions.","Threat Research CenterThreat ResearchCloud Cybersecurity Research Cloud Cybersecurity Research Paved With Intent: ROADtools and Nation-State Tactics in the Cloud 14 min read Related ProductsCortexCortex CloudCortex XDRCortex XSIAMUnit 42 Cloud Security AssessmentUnit 42 Incident Response By:Bill BatchelorEyal Rafian Published:May 22, 2026 Categories:Cloud Cybersecurity ResearchThreat Research Tags:Curious SerpensEntra IDMicrosoft AzureMicrosoft graph APIMidnight BlizzardMITREROADtoolsUTA0355Void Blizzard Share Executive Summary ROADtools is a publicly available toolkit for offensive and defensive security purposes that attackers have integrated into cloud attacks. The tool is designed to: Enumerate Entra ID Register devices in Entra ID Acquire, exchange and manipulate Microsoft Entra ID tokens ROADtools is an open-source framework written in Python and built for red-teaming and research. It primarily targets the identity and authentication layers of Azure, and focuses on how accounts, applications and tokens operate in tenants. To avoid detection, ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic. Further defense evasion can be achieved by configuring request attributes such as user-agent strings. These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools' token management capabilities. We provide an accessible overview of ROADtools, including how it evades detection and how nation-state threat actors and other adversaries misuse it. To aid defenders in protecting organizations against this threat, we also provide: Straightforward hunting queries that can reveal ROADtools usage Practical recommendations to detect and prevent the effectiveness of ROADtools within an environment Palo Alto Networks customers are better protected from the threats described here through the following products and services: Cortex Cloud Cortex XDR and XSIAM The Unit 42 Cloud Security Assessment is an evaluation service that reviews cloud infrastructure to identify misconfigurations and security gaps. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics Microsoft Azure, Cloud, MITRE Tool Overview ROADtools is able to interact with Entra ID via legitimate APIs, and to customize user-agent strings — both of which help it to evade detection. The tool includes several modules — two of which we discuss in this article - and a set of shared libraries. The ROADrecon Module The roadrecon module is designed for internal discovery and enumeration. It gathers organizational data and identity information from Entra ID (formerly Azure Active Directory), including: Users Groups Roles Devices Service principals Applications Directory configurations Results are stored in a local SQLite database that can be viewed through a custom web interface. This provides a graphical way to navigate the tenant and identify relationships or privileged objects that attackers could use for persistence or escalation. Figure 1 shows Entra ID Groups within the ROADrecon graphical web interface. Figure 1. Entra ID Groups in the ROADtools web interface. The roadrecon module originally queried the Azure AD Graph API to enumerate Azure AD resources. However, Microsoft has stated the Azure AD Graph API is being retired and all new or existing applications must migrate to Microsoft Graph API, which breaks a fundamental component of the original roadrecon functionality. As of May 2026, an msgraph branch exists in the official ROADtools Github repository but has not been updated since April 2025. Subsequent development has continued in a separate, community-maintained fork, where partial roadrecon functionality has been implemented using the Microsoft Graph API. This fragmentation means users might encounter inconsistent functionality, while attackers can still enumerate Entra ID accounts and resources, as described in the Discovery section below. The Token eXchange (roadtx) Module The roadtx module facilitates token acquisition and exchange, enabling attackers to interact with Entra ID’s authentication endpoints. It supports several OAuth 2.0 and OpenID Connect authentication flows (sign-in methods), including: Entering a device code from another device (device code flow) Reusing a refresh token to get new access Allowing an application to request access on behalf of a user (known as an on-behalf-of or OBO flow) The output of roadtx is typically a set of OAuth 2.0 access and refresh tokens in JSON format, which can be used to authenticate against Microsoft cloud services. The roadtx module can be used to register devices with Entra ID, replay stolen tokens and manipulate token lifecycles. This capability allows attackers to persist in an environment and bypass multi-factor authentication (MFA). Supporting both roadrecon and roadtx is roadlib, the library layer that handles low-level authentication and API requests. The roadlib module provides the core functionality for ROADtools. It abstracts much of Microsoft’s authentication complexity, allowing an attacker or researcher to script token requests and API calls without having to know every OAuth detail. This module is flexible and can be pointed at different API endpoints, including custom or non-Microsoft endpoints. This feature makes ROADtools easy to adapt to other security tooling and enables it to target a wider range of authentication systems. With the above functionality in mind, the rest of this article explains how adversaries leverage ROADtools to perform their operations and what defenders can do to protect against ROADtools. Threat Actor Usage and Industry Targeting The use of ROADtools has evolved from a red-team utility to an attack tool. Industry reports illustrate that various nation-state threat actors are leveraging the tool to conduct malicious activity: Early observation of a nation-state actor operationalizing the ROADtools framework came in late 2021, when Microsoft reported on activity by Cloaked Ursa (aka Midnight Blizzard or APT29). The group’s campaigns began with highly targeted spear phishing to gain initial access. Cloaked Ursa subsequently leveraged ROADtools to conduct discovery and enumerate victims’ Azure AD (now Entra ID) environments. Microsoft reported the Iranian state-sponsored threat actor Curious Serpens (aka Peach Sandstorm, APT33) using ROADtools in malicious operations in 2023. After gaining initial access through password spray attacks, the threat actor used tools, including ROADtools for internal discovery. Volexity reported in 2025 on a targeted phishing campaign during which a state-affiliated threat actor, which it calls UTA0355, was able to register a rogue device with Entra ID. Attackers were able to acquire a new token with full access to the Microsoft Graph API. The tooling Volexity reported matched the roadtx module’s token management capabilities. MITRE ATT&CK® Tactics MITRE ATT&CK provides a structured way to describe how attackers operate. Organizing findings by MITRE ATT&CK Tactics, Techniques and Procedures enables defenders to: Map attacker behaviors to a common language Compare those behaviors across intrusions Prioritize detections and mitigations based on the actions attackers take In the sections that follow, we reference specific MITRE techniques to show how ROADtools components enable those behaviors, including: Persistence: T1098.005 Account Manipulation – Device Registration Defense Evasion: T1550 Use Alternate Authentication Material Discovery: T1087 Account Discovery Persistence Technique: T1098.005 Account Manipulation – Device Registration (Figure 2). Figure 2. MITRE ATT&CK technique T1098.005. The ROADtools roadtx module can register new devices in Entra","https:\u002F\u002Fbit.ly\u002F4fyQYHB","https:\u002F\u002Funit42.paloaltonetworks.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002F10_Cloud_cybersecurity_research_Overview_1920x900-1.jpg","2026-05-25T10:05:06+00:00","2026-05-25T11:00:07.548+00:00",9,[18,21,23,25,28,30],{"name":19,"type":20},"Midnight Blizzard","threat_actor",{"name":22,"type":20},"Void Blizzard",{"name":24,"type":20},"Curious Serpens",{"name":26,"type":27},"ROADtools","product",{"name":29,"type":27},"Microsoft Entra ID",{"name":31,"type":27},"Microsoft Azure","c70f3a41-2f0c-4608-870d-b8cbcd8be076",{"id":32,"icon":34,"name":35,"slug":36},null,"Cloud Security","cloud-security",[38,43,48,53],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":54},{"id":55,"icon":34,"name":56,"slug":57},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[59,62,66],{"type":60,"value":26,"context":61},"malware","Open-source offensive toolkit weaponized by nation-state actors for Azure Entra ID enumeration, device registration, and token manipulation",{"type":63,"value":64,"context":65},"mitre_attack","T1087.004","Account enumeration via ROADtools roadrecon module targeting Entra ID users, groups, roles, devices, service principals",{"type":63,"value":67,"context":68},"T1550.001","Token manipulation and exchange capabilities in ROADtools for Microsoft Entra ID authentication bypass"]