216.73.216.86

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

· Published 10/12/2025 09:17 · Modified 21/12/2025 18:53

Export JSON

Essential information

Published
10/12/2025 09:17
Modified
21/12/2025 18:53
Tags
2025-12-10 dll sideloading domain spoofing edr exploitation fileless execution initial access broker ransomware stealth tactics
Related entities
3 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 others

Description

Storm-0249, a seasoned , has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through . This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft , curl-to-PowerShell piping, and . Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the -as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of across sectors.

External references