Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-0249 tax-themed phishing campaign targeting U.S. users

Campaign
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Storm-0249 ran a tax-themed phishing campaign against U.S. users ahead of the tax filing season, expanding access opportunities for downstream abuse. The operation delivered Latrodectus and BruteRatel C4 (BRc4), giving the actor a post-exploitation foothold. It matters because the resulting access can be monetized and passed on to ransomware gangs.

Related Happenings

DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure

Threat Actor Meta
H score26 First: 18.06.2026 16:30 Last: 18.06.2026 16:30 Sources 1

About this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...

FBI-led takedown of W3LL phishing network

Law Enforcement
H score33 First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Timeline

  1. 09.12.2025 15:37 2 articles · 7mo ago

    Storm-0249 shifts from phishing access brokerage to ransomware-enablement tactics

    Campaign Scope Update

    Storm-0249, identified by Microsoft as an initial access broker, was tied to a tax-themed phishing campaign against users in the U.S. ahead of the tax filing season that delivered Latrodectus and BruteRatel C4 (BRc4), while newer ReliaQuest findings described a shift toward ClickFix, domain spoofing, fileless PowerShell, DLL sideloading, and Windows utilities such as reg.exe and findstr.exe to collect MachineGuid for follow-on ransomware activity.

    Show sources