Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-0249 SentinelOne EDR abuse for stealthy malware execution

Malware Activity
First reported
Last updated
Happening score
H score 18
1 unique sources, 1 articles

Summary

Hide ▲

Storm-0249 is abusing SentinelOne EDR components and trusted Windows utilities to load malware, establish C2, and maintain persistence, increasing the risk that the activity will support future ransomware attacks. The operation uses ClickFix social engineering, in-memory PowerShell, and DLL sideloading to blend into normal endpoint activity. The result is stealthier malware execution that is harder for defenders to detect and block.

Related Happenings

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
H score22 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
H score10 First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Timeline

  1. 09.12.2025 17:24 2 articles · 7mo ago

    Storm-0249 SentinelOne EDR abuse

    Technical Analysis Update

    Storm-0249 abuses SentinelOne EDR components and trusted Microsoft Windows utilities to hide malicious activity, maintain persistence, and funnel encrypted HTTPS command-and-control traffic while preparing ransomware operations. The activity chain uses ClickFix social engineering, malicious curl commands in the Windows Run dialog, a spoofed Microsoft domain delivering PowerShell in memory, and SentinelAgentCore.dll sideloading through SentinelAgentWorker.exe to make the malicious code look like routine endpoint activity.

    Show sources