Storm-2460
Storm-2460 is a financially motivated threat actor that Microsoft tracks as associated with the RansomEXX ransomware operation. The content also refers to RansomEXX as a ransomware family/operator tracked by Microsoft under the Storm-2460 moniker, and notes RansomEXX is a rebranded version of Defray777. Storm-2460 has been linked to the PipeMagic modular backdoor, which has been used in ransomware operations and staged prior to exploitation of the Windows Common Log File System privilege escalation vulnerability CVE-2025-29824. Reported delivery included a trojanized desktop "ChatGPT" application built from a public GitHub project; the content explicitly states this did not imply compromise of OpenAI or ChatGPT. PipeMagic is described as a modular backdoor that can receive modules over the network, update itself in memory, and exfiltrate basic host information. The group has been reported exploiting CVE-2025-29824 to move from initial access or post-compromise staging to ransomware deployment. Observed targeting in the content includes organizations in the United States, Europe, South America, and the Middle East, including the finance sector, IT and real estate sectors in the United States, a Spanish software company, and the retail sector in Saudi Arabia. Separate reporting in the content states Storm-2460 primarily targeted the finance sector and other high-value industries. Tradecraft described in the content includes use of PipeMagic; abuse of MSBuild, including inline MSBuild task execution and sometimes renaming MSBuild.exe; deployment of Brute Ratel C2; use of CertUtil; credential theft via ProcDump renamed as dllhost.exe to dump LSASS; disabling recovery with bcdedit; deleting backups with wbadmin; and clearing or disabling Windows event logs with wevtutil. The content also notes RansomEXX uses wevtutil to disable Security logs post-encryption. Storm-2460 activity is described as relying heavily on living-off-the-land techniques, anti-forensics, backup deletion, and recovery inhibition before ransomware deployment. The content also states that RansomEXX/Storm-2460 exploited SAP NetWeaver vulnerability CVE-2025-31324. In that reporting, RansomEXX was observed deploying PipeMagic via MSBuild abuse, with Brute Ratel and Heaven's Gate also mentioned in post-exploitation activity. Known aliases directly supported by the content are RansomEXX and Storm-2460.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Banks
- Financial Services
- Software & Services
- Real Estate Management & Development
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
Tradecraft
23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Microsoft observed the delivery of PipeMagic as part of staging activities prior to exploitation of the Windows Common Log File System privilege escalation vulnerability tracked as CVE-2025-29824. Once PipeMagic was set up on the system, Storm-2460 would use the flaw to escalate privileges and ultimately deploy their ransomware using the pipe delivery system.
Ransomware groups and Chinese advanced persistent threat (APT) groups are targeting a critical vulnerability in SAP NetWeaver... The vulnerability, tracked as CVE-2025-31324, has a CVSS score of 10 and affects NetWeaver's Visual Composer development server. Threat actors can exploit the vulnerability using remote attacks to execute arbitrary code without authentication... SAP later confirmed it as an unrestricted file upload vulnerability... allowing attackers to upload malicious files directly to the system without authorization.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cybercrime group exploiting SAP NetWeaver vulnerability (CVE-2025-31324) to deploy PipeMagic trojan as part of intrusion activity.
Lumma Stealer is an infostealer malware that retrieves its command-and-control (C2) information from Telegram channels, using simple ciphers to obfuscate the C2 address and enable rapid infrastructure changes.
Storm-2460 (RansomEXX) is known for exploiting elevation of privilege vulnerabilities in Windows to spread ransomware, often leveraging backdoors such as PipeMagic.
Lumma Stealer is an infostealer malware used to steal sensitive information from infected systems. Its usage has declined after internal doxing incidents.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.