Storm-0501 opportunistic cloud extortion campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-0501 is running an opportunistic cloud extortion campaign that has affected multiple organizations across sectors, widening risk for hybrid-cloud tenants. The group uses stolen credentials, DCSync, and privilege escalation to move from on-premises systems into cloud identities and resources. It then exfiltrates data, destroys backups, and mass-deletes Azure resources to pressure victims into paying. The latest wave shows the operation adapting beyond a single sector while preserving a repeatable cloud-ransomware playbook.
Related Happenings
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data Leak
First: 29.01.2026 19:57
Last: 29.01.2026 19:57
Sources 1
About this happening:
**SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data LeakAbout this happening: **SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics
Threat Actor Meta
First: 09.12.2025 15:37
Last: 09.12.2025 15:37
Sources 1
About this happening:
**Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...
Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics
Threat Actor MetaAbout this happening: **Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...
Kraken ransomware HelloKitty-linked double-extortion campaign
Campaign
First: 14.11.2025 00:53
Last: 14.11.2025 00:53
Sources 1
About this happening:
**Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Kraken ransomware HelloKitty-linked double-extortion campaign
CampaignAbout this happening: **Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Cloud identity weakness is driving a surge in cloud attacks
Target Trend
First: 04.11.2025 15:00
Last: 04.11.2025 15:00
Sources 1
About this happening:
**Identity-related weakness** is now a major driver of **cloud attacks**, raising compromise risk across organizations with large identity footprints. In **Q3 2025**, **44%** of t...
Cloud identity weakness is driving a surge in cloud attacks
Target TrendAbout this happening: **Identity-related weakness** is now a major driver of **cloud attacks**, raising compromise risk across organizations with large identity footprints. In **Q3 2025**, **44%** of t...
AWS and Microsoft cloud outages disrupt websites and business apps
Service Disruption
First: 30.10.2025 16:21
Last: 30.10.2025 16:21
Sources 1
About this happening:
A **multi-hour cloud outage** on **Oct. 19 and Wednesday** disrupted websites, online services, and critical business applications across **AWS** and **Microsoft** environments. T...
AWS and Microsoft cloud outages disrupt websites and business apps
Service DisruptionAbout this happening: A **multi-hour cloud outage** on **Oct. 19 and Wednesday** disrupted websites, online services, and critical business applications across **AWS** and **Microsoft** environments. T...
Timeline
-
27.08.2025 22:04 1 articles · 9mo ago
Storm-0501 opportunistic cloud extortion campaign against Azure and Entra ID
Technical Analysis UpdateStorm-0501 is refining a cloud extortion playbook against multiple organizations by using stolen credentials, access-broker footholds, DCSync, privilege escalation, lateral movement, Entra ID and Entra Connect abuse, and Azure Portal access to exfiltrate data, destroy backups, mass-delete Azure resources, and demand ransom over Microsoft Teams; Microsoft has also responded with an Entra ID change to block Directory Synchronization Account abuse and updates to Microsoft Entra Connect 2.5.3.0 for Modern Authentication.
Show sources
- Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks — thehackernews.com — 27.08.2025 22:04