Storm-0506
Storm-0506 is a Microsoft-tracked, financially motivated ransomware operator associated with Black Basta ransomware deployment. Microsoft observed Storm-0506 in intrusions that culminated in Black Basta deployment, including a North American engineering firm where initial access was obtained via Qakbot, followed by exploitation of CVE-2023-28252 for privilege escalation, use of Cobalt Strike and Pypykatz to steal domain administrator credentials, lateral movement to domain controllers, persistence via custom tools and SystemBC, attempted RDP brute forcing, and use of PsExec to encrypt non-ESXi devices. Microsoft also observed Storm-0506 exploiting CVE-2024-37085 on domain-joined VMware ESXi environments by creating the "ESX Admins" Active Directory group and adding a user to obtain full administrative access, enabling ESXi filesystem encryption and disruption of hosted virtual machines. Microsoft reported that this post-compromise technique has led to Akira and Black Basta ransomware deployments by Storm-0506 and other ransomware operators. Storm-0506 has also been linked to handoffs from access broker Storm-0569; in one observed case, Storm-0569’s BATLOADER infection chain led to Cobalt Strike Beacon deployment, Rclone data exfiltration, and subsequent Black Basta ransomware deployment by Storm-0506. One mention context also states Storm-0506 targeted enterprise collaboration tools in past espionage campaigns, but the supporting content primarily characterizes the actor as a ransomware operator. Known alias in the provided content: storm_0506.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- engineering
Associated malware families
11 malware families attributed to this actor across reporting.
6 additional families tracked in Mallory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Activity cluster observed using CVE-2024-37085 in an ESXi/AD context to enable deployment of Black Basta ransomware.
Cited as a possible actor based on historical TTPs; previously associated (per the article) with targeting enterprise collaboration tools in espionage-oriented activity, and potentially relevant to SharePoint exploitation of CVE-2025-53770.
Storm-0506 is involved in ransomware campaigns exploiting VMware ESXi authentication bypass vulnerabilities to deploy Akira and Black Basta ransomware, leading to data theft and operational disruption.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.