Storm-0501
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 56 attack patterns (mitre), 6 malware, 3 sectors, 1 countries, 10 indicators, 4 vulnerabilities (cve), 6 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
4 CVEs 20 MITREs 5 Malwares 14 Observables 1 APTPublished 30/09/2024 10:37 · Modified 30/09/2024 10:48
Attack patterns (MITRE) (56)
-
Financial Theft uses
-
T1552.004 usesPrivate Keys
-
T1518.001 usesSecurity Software Discovery
-
T1530 usesData from Cloud Storage
-
T1070 usesIndicator Removal
-
Trust Modification uses
-
Cloud API uses
-
T1098 usesAccount Manipulation
-
T1218.011 usesRundll32
-
T1078 usesValid Accounts
-
T1486 usesData Encrypted for Impact
-
T1087 usesAccount Discovery
-
T1087.004 usesCloud Account
-
T1053.005 usesScheduled Task
-
T1027.002 usesSoftware Packing
-
T1567.002 usesExfiltration to Cloud Storage
-
T1555.005 usesPassword Managers
-
Cloud Services uses
-
T1580
-
T1036.004 usesMasquerade Task or Service
-
T1003.006 usesDCSync
-
T1059 usesCommand and Scripting Interpreter
-
T1566 usesPhishing
-
T1490 usesInhibit System Recovery
-
T1003 usesOS Credential Dumping
-
T1543 usesCreate or Modify System Process
-
T1133 usesExternal Remote Services
-
T1537 usesTransfer Data to Cloud Account
-
T1518 usesSoftware Discovery
-
T1082 usesSystem Information Discovery
-
T1055 usesProcess Injection
-
T1578.003
-
T1021 usesRemote Services
-
T1588.006 usesVulnerabilities
-
T1190 usesExploit Public-Facing Application
-
T1110 usesBrute Force
-
Digital Certificates usesT1587.003
-
T1057 usesProcess Discovery
-
T1218.010 usesRegsvr32
-
T1098.003
-
T1021.006 usesWindows Remote Management
-
T1482 usesDomain Trust Discovery
-
T1484.001 usesGroup Policy Modification
-
T1550 usesUse Alternate Authentication Material
-
T1078.004 usesCloud Accounts
-
T1068 usesExploitation for Privilege Escalation
-
T1098.001 usesAdditional Cloud Credentials
-
T1526 usesCloud Service Discovery
-
T1059.001 usesPowerShell
-
T1087.002 usesDomain Account
-
T1485 usesData Destruction
-
T1083 usesFile and Directory Discovery
Malware (6)
-
Rclone usesFamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
AADInternals usesFamilyPublished 30/09/2024 10:37 · Modified 30/09/2024 10:37
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
-
Impacket usesFamilyPublished 30/04/2026 10:11 · Modified 30/04/2026 10:11
-
Embargo usesFamilyPublished 30/09/2024 10:37 · Modified 30/09/2024 10:37
-
Cobalt Strike usesFamilyPublished 16/12/2024 14:25 · Modified 16/12/2024 14:25
Sectors (3)
- Manufacturing targets
- Government targets
- Transportation targets
Countries (1)
- United States of America targets
Indicators (10)
-
ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348aindicates -
53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9indicates -
d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4aindicates -
efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8dindicates -
d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670indicates -
caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031indicates -
827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5findicates -
de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304indicates -
a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40indicates -
c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1indicates
Vulnerabilities (CVE) (4)
Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.
- Attack vector
- Network
- Published
- 23/01/2023
- Modified
- 20/12/2025
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
- Attack vector
- Network
- Published
- 08/01/2024
- Modified
- 21/12/2025
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
- Attack vector
- Network
- Published
- 08/01/2024
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …
- Attack vector
- Network
- Published
- 18/10/2023
- Modified
- 21/12/2025
Tool (6)
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Published 01/02/2022 16:08 · Modified 27/03/2026 01:07 -
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, …
Published 31/01/2019 02:39 · Modified 27/03/2026 01:07 -
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
Published 14/02/2019 18:08 · Modified 27/03/2026 01:07 -
Rclone usesThe MITRE Corporation Confidence 100
[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a …
Published 30/08/2022 15:02 · Modified 27/03/2026 01:07