Financially Motivated12 malware familiesExploits CVEs in the wild

Storm-1811

Also known asCURLY SPIDERStorm-1811

Storm-1811 is a financially motivated threat actor tracked by Microsoft. It has been active since at least 2022 and is known for social engineering-based initial access, particularly impersonating help desk or IT support personnel via phone calls and Microsoft Teams. Reported activity commonly involves email bombing followed by contact from the actor, then persuading victims to grant remote access through remote monitoring and management tools, especially Microsoft Quick Assist, and in some cases AnyDesk or TeamViewer. Microsoft reported Storm-1811 using Teams and Quick Assist in 2024, including use of generic tenant display names such as "Help Desk," "Help Desk IT," "Help Desk Support," and "IT Support." The actor is associated with ransomware intrusion activity and has been reported as gaining initial access for groups including UNC2500, UNC2633, and UNC5155 to distribute ransomware such as Black Basta and 3 AM. Microsoft states Storm-1811 is known to deploy Black Basta ransomware. Red Canary reported likely Storm-1811 activity progressing from remote access to reconnaissance, lateral movement, establishment of an SSH tunnel backdoor, and ultimately Black Basta deployment if not contained. Sophos reported that STAC5777 overlaps with Storm-1811 and linked related tradecraft to 3AM ransomware activity and Black Basta-affiliated vishing operations. Observed tradecraft in the provided content includes PowerShell execution; use of multiple batch scripts during initial access and follow-on activity; prompting users to execute downloaded software and payloads; distribution of password-protected ZIP archives; acquisition and use of legitimate and malicious tools including RMM software and commodity malware; creation of Windows Registry Run keys for persistence; staging captured credentials locally for later manual exfiltration; and use of a Cobalt Strike installer disguised as a malicious DLL masquerading as part of a legitimate 7zip installation package. The Cobalt Strike payload was described as XOR-encoded in a DLL and decoded with a hardcoded key when invoked by a legitimate 7zip installation process. Known aliases in the provided content are Curly Spider and Storm-1811. Sophos also reported overlap between Storm-1811 and the cluster STAC5777.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

52 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics75 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

T1598.004×3

Spearphishing Voice

TA0042

Resource Development

2 techniques

T1588

Obtain Capabilities

T1588.002×2

Tool

T1608

Stage Capabilities

TA0001

Initial Access

2 techniques

T1078×2

Valid Accounts

T1566×5

Phishing

T1566.001

Spearphishing Attachment

T1566.003×6

Spearphishing via Service

T1566.004×3

Spearphishing Voice

TA0002

Execution

5 techniques

T1059

Command and Scripting Interpreter

T1059.001×6

PowerShell

T1059.003×4

Windows Command Shell

T1072

Software Deployment Tools

T1129

Shared Modules

T1204×2

User Execution

T1204.002×4

Malicious File

T1574

Hijack Execution Flow

TA0003

Persistence

4 techniques

T1037

Boot or Logon Initialization Scripts

T1078×2

Valid Accounts

T1112×2

Modify Registry

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1037

Boot or Logon Initialization Scripts

T1078×2

Valid Accounts

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0005

Stealth

9 techniques

T1027×4

Obfuscated Files or Information

T1036×3

Masquerading

T1036.003

Rename Legitimate Utilities

T1036.005

Match Legitimate Resource Name or Location

T1078×2

Valid Accounts

T1140

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1218.007

Msiexec

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

T1574

Hijack Execution Flow

T1622

Debugger Evasion

TA0112

Defense Impairment

2 techniques

T1112×2

Modify Registry

T1553

Subvert Trust Controls

T1553.002×2

Code Signing

TA0006

Credential Access

2 techniques

T1187

Forced Authentication

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

TA0007

Discovery

10 techniques

T1012

Query Registry

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1057

Process Discovery

T1069

Permission Groups Discovery

T1087

Account Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518

Software Discovery

T1614

System Location Discovery

T1614.001

System Language Discovery

T1622

Debugger Evasion

TA0008

Lateral Movement

2 techniques

T1021×4

Remote Services

T1021.002

SMB/Windows Admin Shares

T1021.004×2

SSH

T1072

Software Deployment Tools

TA0009

Collection

3 techniques

T1074

Data Staged

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

T1560

Archive Collected Data

TA0011

Command and Control

6 techniques

T1071

Application Layer Protocol

T1071.004

DNS

T1090

Proxy

T1105

Ingress Tool Transfer

T1219×5

Remote Access Tools

T1568

Dynamic Resolution

T1572×2

Protocol Tunneling

TA0040

Impact

1 technique

T1486×4

Data Encrypted for Impact

ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Black BastaWithout prompt response, this activity can lead to Black Basta ransomware in your environment.9Jun 14, 2026

A0BackdoorFive months later in March this year, BlueVoyant published the forensics on a related campaign that drops a previously undocumented payload called A0Backdoor and judged it “an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang...”7May 28, 2026

Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.4May 6, 2026

ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026

QakBotIn several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment.2Apr 30, 2026

7 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

47 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

47 IOCsView more in app

ip.v4

16 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+8

hash.sha256

15 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+7

Domains

13 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+5

Email addresses

2 total

••••@•••••.••••••••@••••••.•••

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

ismsNews

May 28, 2026

When The Help Desk Is The Threat - ISMS.online

Financially motivated cybercriminal group abusing Microsoft Teams and Quick Assist for social-engineering-based initial access and associated with deployment of Black Basta ransomware.

esentire blogNews

May 28, 2026

Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT | eSentire

Referenced as part of publicly reported activity aligned with the surge in Microsoft Teams-based social-engineering intrusions.

splunk researchNews

May 12, 2026

Detection: Powershell Defender Threat Actions Set to Allow | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.

splunk researchNews

Apr 22, 2026

Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

+194 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping52

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables47

Domains, IPs, and hashes tied to this actor, refreshed continuously.