Initial access broker Storm-0249 has evolved from a mass phishing operation into a sophisticated threat actor weaponizing legitimate Endpoint Detection and Response (EDR) processes through sideloading techniques to conceal malicious activity as routine security operations.
This represents a significant escalation in the group’s capabilities and poses a critical risk to organizations relying on traditional defense mechanisms.
ReliaQuest researchers, in collaboration with SentinelOne, have documented how Storm-0249 exploits trusted signed executables specifically SentinelOne’s SentinelAgentWorker.exe to execute malicious payloads while evading detection.
The techniques observed are readily adaptable to other EDR platforms, making this a cross-industry threat requiring immediate attention from security teams.
Storm-0249’s recent attack methodology begins with ClickFix attack, a social engineering technique that manipulates users into executing encoded commands via the Windows Run dialog. Once initial access is established, the attack unfolds through three coordinated phases.
The first phase leverages curl.exe, a legitimate built-in Windows utility commonly used by IT administrators for downloading updates and testing APIs.
Because curl.exe rarely triggers security alerts, attackers pipe malicious PowerShell scripts directly into memory from spoofed Microsoft domains.
The attackers host payloads on attacker-controlled infrastructure but prepend URLs with fake /us.microsoft.com/ paths to impersonate legitimate Microsoft sources. This fileless execution technique bypasses signature-based antivirus solutions entirely, as the malicious code never touches disk.
The second phase involves delivering a trojanized MSI package that exploits Windows Installer’s SYSTEM-level privileges.
The package contains a malicious DLL impersonating a legitimate SentinelOne EDR component, strategically placed in the AppData folder a location often excluded from rigorous security monitoring to reduce alert noise.
When the legitimate SentinelOne executable launches, it loads the attacker’s malicious DLL instead of the legitimate version, a technique known as DLL sideloading that makes the attack appear as routine security software behavior.
Security Software Into an Attack Vector
The implications of Storm-0249’s ability to abuse trusted EDR processes are profound. By hijacking digitally signed executables, the group transforms security software into an attack vector.
Network monitoring tools observe the compromised SentinelAgentWorker.exe establishing command-and-control communications to newly registered domains, but trust the process because it remains allowed and digitally signed.
The attackers encrypt C2 traffic with TLS, rendering it invisible to deep packet inspection and SSL inspection appliances.
This neutralizes a significant portion of traditional perimeter defenses while allowing operators to transmit malware encryption keys and payload instructions without detection.
Following initial compromise, Storm-0249 conducts reconnaissance using legitimate Windows utilities like reg.exe and findstr.exe to extract system identifiers including MachineGuid.
Defense Imperatives
This data becomes critical for ransomware affiliates, as groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.
By securing this information, Storm-0249 delivers pre-profiled targets to ransomware customers, dramatically reducing time-to-ransom from weeks to days.
Organizations must implement behavioral analytics to detect anomalies such as DLL sideloading, monitor DNS for newly registered domains (under 30-90 days old), and enforce strict controls on legitimate tools like curl.exe and PowerShell.
Automated incident response playbooks that isolate compromised hosts, block malicious domains, and prevent execution of known malicious hashes are essential.
Storm-0249’s evolution demonstrates that traditional signature-based defenses are insufficient.
Security teams must prioritize visibility into trusted processes, implement behavioral monitoring, and maintain network segmentation to disrupt these sophisticated attacks before ransomware deployment becomes inevitable.
IOCs
| Artifact | Type | Details |
|---|---|---|
07c5599b9bb00feb70c2d5e43b4b76f228866930 |
SHA-1 Hash | Malicious DLL named “SentinelAgentCore” (used for DLL sideloading) |
423f2fcf7ed347ee57c1a3cffa14099ec16ad09c |
SHA-1 Hash | Spear.msi (Malicious Installer) |
krivomadogolyhp[.]com |
Domain | C2 Domain |
hristomasitomasdf[.]com |
Domain | C2 Domain |
hamcore[.]se2 |
File/Resource* | C2 Domain (Likely a reference to SoftEther VPN configuration file or artifact)* |
sgcipl[.]com |
Domain | C2 Domain (Used for spoofed Microsoft domains) |
178.16.52[.]145 |
IP Address | Malicious IP Address |
172.67.206[.]124 |
IP Address | Malicious IP Address |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.