STAC5777

STAC5777 is a threat cluster tracked by Sophos that overlaps with Microsoft’s Storm-1811. Sophos observed it in late 2024 and early 2025 as part of ransomware and data-theft extortion activity, including incidents tied to Microsoft Teams and Quick Assist social engineering and a separate intrusion linked to 3AM ransomware. Sophos also reported ties between 3AM and BlackBasta-affiliated actors involved in the Teams-based vishing activity tracked as STAC5777. The group’s initial access tradecraft included email bombing followed by fake IT support contact over Microsoft Teams or spoofed phone calls, then convincing victims to grant remote access through Microsoft Quick Assist or Teams screen control. In one documented case, the actor used the Office 365 account helpdesk@llladminhlpll.onmicrosoft.com from 78.46.67[.]201 to initiate malicious Teams messages. Sophos reported that STAC5777 relied heavily on hands-on-keyboard activity. The cluster deployed a legitimate Microsoft-signed OneDriveStandaloneUpdater.exe together with a malicious winhttp.dll for DLL sideloading, plus supporting files including OpenSSL DLLs, vcruntime140.dll, and settingsbackup.dat. SophosLabs found the malicious winhttp.dll used fake version metadata from a legitimate ESET file and was capable of collecting system details, configuration information, user credentials, and keystrokes. STAC5777 stored command-and-control configuration in HKLM\SOFTWARE\TitanPlus and established persistence via a service and a startup .lnk file. Reported C2 infrastructure included 185.190.251.16:443, 207.90.238.52:443, 89.185.80.86:443, 74.178.90[.]36:443, and 195.123.241[.]24:443. Sophos observed STAC5777 scanning environments over SMB and probing for RDP and WinRM hosts, then moving laterally using compromised credentials, VPN access, RDP, and WinRM. The actors also searched for password-related files, examined .rdp files, and reviewed network diagrams to support further movement. In some incidents they attempted to uninstall local MFA integration or the Sophos Endpoint Agent; Sophos tamper protection blocked at least some of these actions. In one threat-hunting case, STAC5777 attempted to deploy Black Basta ransomware, but Sophos blocked it. Sophos also linked STAC5777 tradecraft to a 3AM ransomware intrusion in which attackers used email bombing, a spoofed IT phone call, Quick Assist access, a QEMU-based Windows 7 virtual machine, and the QDoor backdoor to establish foothold, conduct lateral movement, exfiltrate data, and ultimately attempt ransomware deployment. Known aliases and related names directly mentioned in the content are STAC5777 and Storm-1811.