BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Storm-0249 Shifts Tactics, Uses DLL Sideloading in Ransomware Attack

Storm-0249 Evolves Into Direct Ransomware Attacker Using Advanced Stealth and Persistence Techniques

  • The threat actor known as Storm-0249 is evolving from an initial access broker to a direct Ransomware attacker using advanced tactics.
  • It employs domain spoofing, DLL side-loading, and fileless PowerShell execution to bypass security defenses and maintain persistent access.
  • The group leverages social engineering methods like the ClickFix tactic and uses trusted Windows processes to avoid detection.
  • Storm-0249 extracts unique system identifiers such as MachineGuid to prepare for targeted ransomware encryption strategies.
  • These developments signal a shift toward precise, stealthy attacks to support ransomware affiliates such as LockBit and ALPHV.

The cyber threat group Storm-0249 is adopting new, sophisticated methods to conduct ransomware attacks as of December 2025. Previously recognized as an initial access broker providing network footholds to other cybercriminals, it now uses techniques including domain spoofing, DLL side-loading, and fileless PowerShell execution. These methods enable the group to infiltrate and persist in networks while evading detection. According to a ReliaQuest report shared with The Hacker News, this shift poses significant challenges for security teams.

- Advertisement -

Storm-0249, a name assigned by Microsoft, was first publicly identified in September 2024. It has facilitated access for ransomware and extortion groups like Storm-0501. In early 2025, Cybersecurity intelligence reported this group’s phishing campaigns targeted U.S. users with tax-themed messages, distributing malicious tools such as Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.

The group now exploits the ClickFix social engineering tactic, convincing victims to execute malicious commands in the Windows Run dialog by posing as solving a technical problem. This method uses the legitimate Windows utility “curl.exe” to download a PowerShell script from a spoofed Microsoft-like domain (“sgcipl[.]com/us.microsoft.com/bdo/”). The PowerShell script then runs without leaving files on disk (fileless execution).

This attack results in installing a malicious MSI package that runs with SYSTEM privileges. It drops a trojanized DLL named “SentinelAgentCore.dll” alongside the legitimate “SentinelAgentWorker.exe” process of SentinelOne’s endpoint security software into the user’s AppData folder. When “SentinelAgentWorker.exe” runs, it loads the rogue DLL, enabling encrypted communication with a command-and-control (C2) server while remaining undetected.

Further, Storm-0249 uses legitimate Windows command-line tools like reg.exe and findstr.exe to retrieve unique system identifiers such as MachineGuid. This GUID is essential for ransomware execution because affiliates like LockBit and ALPHV bind encryption keys to these identifiers, ensuring decryption of files is only possible with attacker-controlled keys. ReliaQuest emphasized, “This isn’t just generic reconnaissance – it’s preparation for ransomware affiliates.”

- Advertisement -

These tactics represent a transition from broad phishing attempts toward targeted, stealthy attacks that abuse trusted signed processes, complicating detection and defense efforts.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

OpenAI Questions Merit of Apple’s Trade Secrets Suit

Apple accused OpenAI of targeting current and former employees to obtain confidential documents, designs,...

Senate to vote on crypto bill amid ethics corruption debate

The US Senate is expected to vote before August 10 on the CLARITY Act,...

IBM shares plummet 25% after earnings miss, worst drop in decades

IBM shares plunged up to 25% on Tuesday after missing Q2 earnings expectations, marking...

DeepMind CEO: AGI just years away, demands new US safety tests

Google DeepMind CEO Demis Hassabis predicts AGI will arrive within a few years, comparing...

Warsh: No Stablecoin Bailout, GENIUS Act Deadline Near

Federal Reserve Chair Kevin Warsh told lawmakers the central bank will not bail out...

Must Read

Best Metaverse Tokens to Buy on Binance for 10X Gains

Ever since Facebook renamed their company to Meta, as well as their plans to build a metaverse where we can travel into using Virtual...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading