Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware Activity
Summary
Hide ▲
Show ▼
Storm-0249 is abusing SentinelOne EDR components and trusted Windows utilities to load malware, establish C2, and maintain persistence, increasing the risk that the activity will support future ransomware attacks. The operation uses ClickFix social engineering, in-memory PowerShell, and DLL sideloading to blend into normal endpoint activity. The result is stealthier malware execution that is harder for defenders to detect and block.
Related Happenings
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
AI-assisted EDR-evasion malware development lab
Malware Activity
H score12
First: 02.06.2026 14:00
Last: 02.06.2026 14:00
Sources 1
About this happening:
A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
AI-assisted EDR-evasion malware development lab
Malware ActivityAbout this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/Service
H score10
First: 26.05.2026 15:19
Last: 26.05.2026 15:19
Sources 1
About this happening:
Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/ServiceAbout this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
09.12.2025 17:24 2 articles · 7mo ago
Storm-0249 SentinelOne EDR abuse
Technical Analysis UpdateStorm-0249 abuses SentinelOne EDR components and trusted Microsoft Windows utilities to hide malicious activity, maintain persistence, and funnel encrypted HTTPS command-and-control traffic while preparing ransomware operations. The activity chain uses ClickFix social engineering, malicious curl commands in the Windows Run dialog, a spoofed Microsoft domain delivering PowerShell in memory, and SentinelAgentCore.dll sideloading through SentinelAgentWorker.exe to make the malicious code look like routine endpoint activity.
Show sources
- Ransomware IAB abuses EDR for stealthy malware execution — www.bleepingcomputer.com — 09.12.2025 17:24
- Ransomware IAB abuses EDR for stealthy malware execution — www.bleepingcomputer.com — 09.12.2025 17:24