Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation
Essential information
- Published
- 10/12/2025 09:17
- Modified
- 21/12/2025 18:53
- Tags
- 2025-12-10 dll sideloading domain spoofing edr exploitation fileless execution initial access broker ransomware stealth tactics
- Related entities
- 3 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 others
Description
Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.