Skip to main content
Mallory
Back to threat actors
3 malware families

Storm-2949

Also known asStorm-2949

Storm-2949 is a threat actor tracked by Microsoft Threat Intelligence that conducts methodical, multi-layered intrusions focused on Microsoft 365, Microsoft Entra ID, and Azure cloud control planes, with the apparent objective of exfiltrating sensitive data from high-value assets. The content describes the actor targeting privileged users, including IT personnel and senior leadership, using social engineering such as fake help-desk interactions and a technical interview pretext to drive MFA-fatigue and abuse Microsoft Self-Service Password Reset (SSPR). After account takeover, the actor removes existing authentication methods, re-registers MFA on attacker-controlled Microsoft Authenticator devices, and uses Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and privileged custom Azure RBAC roles. Post-compromise, Storm-2949 is described abusing legitimate administrative features across SaaS, PaaS, and IaaS environments rather than relying primarily on custom malware. Reported activity includes exfiltration of files from OneDrive and SharePoint, especially VPN and remote access documentation; retrieval of Azure App Service publishing profiles via microsoft.Web/sites/publishxml/action to gain FTP, Web Deploy, and Kudu access; rapid manipulation of Azure Key Vault access to obtain secrets such as database connection strings and identity credentials; modification of Azure SQL firewall rules for direct database access followed by deletion of those rules; abuse of storage account write and listkeys permissions to enable blob exfiltration and generate SAS-related access; and use of Azure VMAccess and Run Command to create rogue local administrator accounts, execute PowerShell, attempt to disable Microsoft Defender protections, and deploy ScreenConnect. The content also states that Storm-2949 used legitimate remote management tools including ConnectWise ScreenConnect and Syncro/Servably for persistence and remote access, and that Microsoft identified attacker infrastructure including 176.123.4[.]44, 91.208.197[.]87, and a ScreenConnect instance at 185.241.208[.]243:9090. No additional aliases or sub-groups beyond Storm-2949 are directly supported in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics53 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078×3
Valid Accounts
T1078.004
Cloud Accounts
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1648
Serverless Execution
TA0003
Persistence
4 techniques
T1078×3
Valid Accounts
T1078.004
Cloud Accounts
T1098
Account Manipulation
T1098.001
Additional Cloud Credentials
T1098.005
Device Registration
T1136×2
Create Account
T1136.001
Local Account
T1136.003
Cloud Account
T1556×3
Modify Authentication Process
T1556.006
Multi-Factor Authentication
TA0004
Privilege Escalation
3 techniques
T1078×3
Valid Accounts
T1078.004
Cloud Accounts
T1098
Account Manipulation
T1098.001
Additional Cloud Credentials
T1098.005
Device Registration
T1548
Abuse Elevation Control Mechanism
TA0005
Stealth
3 techniques
T1036
Masquerading
T1070×2
Indicator Removal
T1070.001×2
Clear Windows Event Logs
T1078×3
Valid Accounts
T1078.004
Cloud Accounts
TA0112
Defense Impairment
2 techniques
T1556×3
Modify Authentication Process
T1556.006
Multi-Factor Authentication
T1578
Modify Cloud Compute Infrastructure
T1578.004
Revert Cloud Instance
TA0006
Credential Access
6 techniques
T1528
Steal Application Access Token
T1552×2
Unsecured Credentials
T1552.001
Credentials In Files
T1555×2
Credentials from Password Stores
T1556×3
Modify Authentication Process
T1556.006
Multi-Factor Authentication
T1621×4
Multi-Factor Authentication Request Generation
T1649×2
Steal or Forge Authentication Certificates
TA0007
Discovery
5 techniques
T1069×2
Permission Groups Discovery
T1082
System Information Discovery
T1087
Account Discovery
T1087.004
Cloud Account
T1482
Domain Trust Discovery
T1526×3
Cloud Service Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.007
Cloud Services
T1570
Lateral Tool Transfer
TA0009
Collection
2 techniques
T1119
Automated Collection
T1530×3
Data from Cloud Storage
TA0011
Command and Control
1 technique
T1219×2
Remote Access Tools
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1567
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Kabuto.Installer.Installer.InstallSyncrotwo Syncro/Servably MSI wrappers ... drop a byte-identical 5.6 MB Kabuto.Installer.Installer.InstallSyncro .NET payload ( e896a9d3... ).1May 19, 2026
ScreenConnectThe operator establishes endpoint persistence via two legitimately-signed RMMs deployed in parallel: ConnectWise ScreenConnect from attacker infrastructure at 185.241.208[.]243:9090 ... MALWARE ScreenConnect / ConnectWise (legitimate build abused via deployment vector), Evilconwi (Malpedia family alias for the Storm-2949 ScreenConnect variant)1May 19, 2026
SyncroAlongside three ScreenConnect MSI siblings ... two Syncro/Servably MSI wrappers ... drop a byte-identical 5.6 MB Kabuto.Installer.Installer.InstallSyncro .NET payload ... MALWARE ... Syncro / Servably, Inc. (legitimate RMM abused via operator-tenant deployment alongside ScreenConnect)1May 19, 2026
IOCS

Observables

11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

11 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security online infoNews
May 22, 2026
Storm-2949 Hijacks Azure Identity and Key Vaults in Catastrophic Cloud Campaign

Conducted a cloud control-plane intrusion campaign centered on identity compromise, targeting enterprise administrative infrastructure across SaaS, PaaS, and IaaS. The group used social engineering and abuse of Microsoft Self-Service Password Reset to hijack accounts, establish persistence through attacker-controlled Microsoft Authenticator enrollment, enumerate Azure RBAC roles, access OneDrive and SharePoint data, compromise Azure App Service and Key Vault, manipulate Azure SQL and Storage firewall/access settings for exfiltration, and use VM management features to add backdoor admin access and disable defenses.

Read more
scworldNews
May 20, 2026
Storm-2949 actor targets Microsoft 365 and Azure environments | brief | SC Media

Targets Microsoft 365 and Azure environments to exfiltrate sensitive data from high-value assets by abusing legitimate cloud applications, identity workflows, and administrative features.

Read more
cyber security newsNews
May 19, 2026
Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data

Associated in the content with a supply chain attack involving a compromised Nx Console VS Code extension that stole developer credentials, cloud tokens, and CI/CD secrets, and established persistence via a Python backdoor and sudoers modification.

Read more
reddit netsecNews
May 19, 2026
How Storm-2949 turned a compromised identity into a cloud-wide breach : r/netsec

Associated with a cloud-focused intrusion in which a compromised identity was leveraged to enable a broader cloud-wide breach.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping42

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables11

Domains, IPs, and hashes tied to this actor, refreshed continuously.