1 malware family

Storm-0426

Also known asStorm-0426

Storm-0426 is a Microsoft-tracked threat cluster associated with large-scale phishing activity using the ClickFix social engineering methodology. Microsoft observed the actor in March 2025 launching a phishing campaign targeting users in Germany and attempting to install MintsLoader. The emails used payment and invoice lures and redirected victims through the Prometheus traffic direction system hosted on compromised sites to mein-lonos-cloude[.]de. Microsoft also included Storm-0426 among threat clusters that have conducted large-scale phishing and malvertising campaigns utilizing ClickFix. ClickFix activity associated with this cluster involves fake verification or error-repair prompts that trick users into manually executing malicious commands, typically via the Windows Run dialog, Windows Terminal, or PowerShell, to deliver malware. No additional aliases or sub-groups were provided in the content beyond Storm-0426 / storm_0426.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇩🇪 Germany

MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics6 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1204

User Execution

TA0005

Stealth

1 technique

T1036

Masquerading

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

MintsLoaderLoaders like Latrodectus and MintsLoader, which could deliver additional malware and other payloads1Mar 8, 2026

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

rescana blogNews

Jan 28, 2026

ClickFix Malware Attacks Targeting Microsoft Windows: Fake CAPTCHAs, Signed Scripts, and Trusted Web Service Exploitation

Microsoft-tracked threat cluster conducting large-scale phishing/malvertising campaigns using the ClickFix methodology.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.