Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics
Threat Actor Meta
Summary
Hide ▲
Show ▼
Storm-0249 is moving from initial access brokering to domain spoofing, DLL side-loading, and fileless PowerShell to support ransomware attacks. The shift matters because it increases the actor's ability to bypass defenses, maintain persistence, and operate undetected across enterprise networks.
Related Happenings
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/Service
First: 26.05.2026 15:19
Last: 26.05.2026 15:19
Sources 1
About this happening:
Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/ServiceAbout this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Timeline
-
09.12.2025 15:37 2 articles · 5mo ago
Storm-0249 shifts to stealth ransomware enablement
Technical Analysis UpdateStorm-0249 is assessed to be shifting from initial access brokering toward stealthier ransomware-enablement activity against enterprise networks, combining ClickFix social engineering, domain spoofing, fileless PowerShell execution, DLL sideloading, and living-off-the-land use of reg.exe and findstr.exe to collect MachineGuid under the trusted SentinelAgentWorker.exe process.
Show sources
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37
- Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading — thehackernews.com — 09.12.2025 15:37