Storm-0569 is a Microsoft-tracked financially motivated threat actor, previously designated DEV-0569. The content associates Storm-0569 with Zloader and describes it as an access broker that delivers post-compromise payloads via malvertising, SEO poisoning, and phishing emails, with activity that can culminate in ransomware deployment. Microsoft observed Storm-0569 abusing the Windows ms-appinstaller/App Installer mechanism and signed malicious MSIX packages beginning in late 2023, including SEO-poisoning campaigns in early December 2023 that spoofed legitimate software download pages for Zoom, Tableau, TeamViewer, and AnyDesk. These campaigns used Bing or Google search results or ads to drive victims to spoofed landing pages containing ms-appinstaller links. After user interaction, Storm-0569 used PowerShell and batch scripts to download BATLOADER; in one incident BATLOADER dropped a Cobalt Strike Beacon, used Rclone for data exfiltration, and the intrusion later culminated in Black Basta ransomware deployment by Storm-0506. The content states Storm-0569 infection chains have dropped IcedID, Cobalt Strike Beacon, and remote monitoring and management tools, and that handoffs may occur to ransomware operators including Storm-0846 and Storm-0506. Separate reporting cited in the content says a very similar technique was used by DEV-0569 in late 2022 to deploy Royal ransomware. The content also links Storm-0569 to MSIX package abuse and notes Red Canary observed a cluster overlapping or aligning with Storm-0569 that used Advanced Installer MSIX packages, the legitimate AiStub.exe binary, compiled Python payloads, OpenSSL decryption, and GetAdmin.vbs scripts, with overlaps to Zloader/BatLoader tradecraft.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a threat actor/activity cluster leveraging MSIX package abuse.
Used a similar PowerShell-based technique to disable security protections and deploy Royal ransomware in late 2022.
Referenced as a threat actor/activity cluster leveraging MSIX packages for malware delivery.
Observed in threat campaigns abusing MSIX packages.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.