2 malware families

Storm-1607

Also known asStorm-1607

Storm-1607 is a Microsoft-tracked, financially motivated threat cluster associated with large-scale phishing campaigns and use of the ClickFix social engineering technique. Microsoft first observed Storm-1607 using ClickFix between March and June 2024 in email campaigns that used HTML attachments to attempt installation of the DarkGate loader. One observed campaign in May 2024 sent tens of thousands of payment- and invoice-themed phishing emails targeting organizations in the United States and Canada. Microsoft also lists Storm-1607 among threat clusters that have conducted large-scale phishing and malvertising campaigns utilizing ClickFix methodology. In addition, Microsoft observed Storm-1607 using Lumma Stealer in campaigns, alongside other ransomware-associated actors such as Octo Tempest, Storm-1113, and Storm-1674. Based on the provided content, Storm-1607 is linked to phishing, malvertising, HTML attachment delivery, ClickFix lures that induce users to execute malicious commands, and payload delivery including DarkGate and Lumma Stealer.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇸 United States
🇨🇦 Canada

MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics13 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

1 technique

T1566×2

Phishing

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1204

User Execution

T1204.001

Malicious Link

T1204.002

Malicious File

TA0006

Credential Access

2 techniques

T1552

Unsecured Credentials

T1552.004

Private Keys

T1555

Credentials from Password Stores

TA0009

Collection

1 technique

T1115

Clipboard Data

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DarkGateThese emails contained HTML attachments that attempted to install DarkGate, a commodity loader that is capable of keylogging, cryptocurrency mining, establishing C2 communications, and downloading additional malicious payloads, among others.1Apr 15, 2026

Lumma StealerBitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption... Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys.1Mar 8, 2026

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

security affairsNews

Feb 12, 2026

LummaStealer activity spikes post-law enforcement disruption

Microsoft-tracked activity cluster described as a ransomware group that has used LummaStealer in campaigns.

rescana blogNews

Jan 28, 2026

ClickFix Malware Attacks Targeting Microsoft Windows: Fake CAPTCHAs, Signed Scripts, and Trusted Web Service Exploitation

Microsoft-tracked threat cluster conducting large-scale phishing/malvertising campaigns using the ClickFix methodology (fake verification/CAPTCHA leading to user-executed commands and multi-stage payload delivery).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.