BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Storm-0249 Shifts Tactics, Uses DLL Sideloading in Ransomware Attack

Storm-0249 Evolves Into Direct Ransomware Attacker Using Advanced Stealth and Persistence Techniques

  • The threat actor known as Storm-0249 is evolving from an initial access broker to a direct Ransomware attacker using advanced tactics.
  • It employs domain spoofing, DLL side-loading, and fileless PowerShell execution to bypass security defenses and maintain persistent access.
  • The group leverages social engineering methods like the ClickFix tactic and uses trusted Windows processes to avoid detection.
  • Storm-0249 extracts unique system identifiers such as MachineGuid to prepare for targeted ransomware encryption strategies.
  • These developments signal a shift toward precise, stealthy attacks to support ransomware affiliates such as LockBit and ALPHV.

The cyber threat group Storm-0249 is adopting new, sophisticated methods to conduct ransomware attacks as of December 2025. Previously recognized as an initial access broker providing network footholds to other cybercriminals, it now uses techniques including domain spoofing, DLL side-loading, and fileless PowerShell execution. These methods enable the group to infiltrate and persist in networks while evading detection. According to a ReliaQuest report shared with The Hacker News, this shift poses significant challenges for security teams.

- Advertisement -

Storm-0249, a name assigned by Microsoft, was first publicly identified in September 2024. It has facilitated access for ransomware and extortion groups like Storm-0501. In early 2025, Cybersecurity intelligence reported this group’s phishing campaigns targeted U.S. users with tax-themed messages, distributing malicious tools such as Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.

The group now exploits the ClickFix social engineering tactic, convincing victims to execute malicious commands in the Windows Run dialog by posing as solving a technical problem. This method uses the legitimate Windows utility “curl.exe” to download a PowerShell script from a spoofed Microsoft-like domain (“sgcipl[.]com/us.microsoft.com/bdo/”). The PowerShell script then runs without leaving files on disk (fileless execution).

This attack results in installing a malicious MSI package that runs with SYSTEM privileges. It drops a trojanized DLL named “SentinelAgentCore.dll” alongside the legitimate “SentinelAgentWorker.exe” process of SentinelOne’s endpoint security software into the user’s AppData folder. When “SentinelAgentWorker.exe” runs, it loads the rogue DLL, enabling encrypted communication with a command-and-control (C2) server while remaining undetected.

Further, Storm-0249 uses legitimate Windows command-line tools like reg.exe and findstr.exe to retrieve unique system identifiers such as MachineGuid. This GUID is essential for ransomware execution because affiliates like LockBit and ALPHV bind encryption keys to these identifiers, ensuring decryption of files is only possible with attacker-controlled keys. ReliaQuest emphasized, “This isn’t just generic reconnaissance – it’s preparation for ransomware affiliates.”

- Advertisement -

These tactics represent a transition from broad phishing attempts toward targeted, stealthy attacks that abuse trusted signed processes, complicating detection and defense efforts.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

Must Read

7 Best Crypto To Invest In This Year

Investing in cryptocurrencies has become a popular way for people to diversify their investment portfolio and make potential profits.However, with so many cryptocurrencies available...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading