The threat actor known as Storm-0249 appears to be reinventing itself. Once known mainly as an initial access broker, the group is now leaning into more advanced techniques, domain spoofing, DLL sideloading, and fileless PowerShell execution to push ransomware deeper into corporate networks.
According to a new analysis from ReliaQuest, these upgraded tactics make Storm-0249 far harder to spot. They help the group move quietly, maintain access, and keep security teams guessing while they prepare the ground for larger attacks.
Storm-0249 was first described by Microsoft in late 2024 as a broker selling access to compromised networks. Its customers included high-profile ransomware and extortion crews, such as Storm-0501. Earlier this year, Microsoft also linked the group to a phishing operation that used U.S. tax-themed lures to deliver malware strains like Latrodectus and Brute Ratel C4 tools designed specifically for post-exploitation work.
The goal in those earlier campaigns was straightforward: stay inside an enterprise long enough to sell access to ransomware groups who want a fast, reliable way into their victims.
ReliaQuest’s latest findings suggest the group is now taking a more hands-on approach.
Upgraded Social Engineering
Instead of broad phishing waves, Storm-0249 has begun using ClickFix, a social-engineering trick that prompts a victim to run what appears to be a harmless command in the Windows Run dialog. The victim thinks they’re fixing a software issue; in reality, they’re launching the attacker’s initial payload.
In this case, the command calls curl.exe a perfectly legitimate Windows tool to download a PowerShell script from a URL disguised to look like a Microsoft domain:
sgcipl[.]com/us.microsoft.com/bdo/
The downloaded script runs filelessly, meaning nothing obvious lands on disk. That makes it much harder for antivirus tools to flag.
The script then triggers a malicious MSI installer that runs with SYSTEM-level privileges. Once installed, it places a tampered SentinelOne DLL (SentinelAgentCore.dll) and a legitimate SentinelAgentWorker.exe in the victim’s AppData folder. When the real executable runs, it quietly sideloads the trojanized DLL instead of SentinelOne’s actual component.
From there, the rogue DLL sets up encrypted communication with a command-and-control server.
Blending In With Windows
Storm-0249 doesn’t stop with stealthy delivery. The group also uses standard Windows administration tools, reg.exe, findstr.exe, and others to pull system identifiers like MachineGuid. These details are used to prepare systems for ransomware deployment, and because the commands run under the trusted SentinelOne process, most security tools simply don’t question them.
ReliaQuest points out that this marks a noticeable shift: the group is relying less on high-volume phishing and more on precision intrusions that take advantage of trust in signed processes and well-known security products.
Preparing for Ransomware Affiliates
The reconnaissance step isn’t random. MachineGuid, for example, is a critical value for many ransomware crews. Groups like LockBit and ALPHV use it to bind encryption keys to individual systems. That binding ensures that even if defenders manage to get their hands on the ransomware binary or reverse-engineer the encryption routine, they still can’t decrypt the victim’s files without the attacker’s private key.
In other words, Storm-0249 isn’t just stealing access anymore, it’s building a cleaner, more reliable pipeline straight into ransomware operations.
Source: The Hacker News