Storm-1113
Storm-1113 is a Microsoft-tracked financially motivated threat cluster also referred to as FakeBat and Apothecary Spider. The content describes it as both an access broker using search advertisements and an as-a-service provider of malicious installers and landing page frameworks. Microsoft states Storm-1113 is the developer of EugenLoader, first observed around November 2022. Observed activity includes abuse of MSIX packages and the ms-appinstaller/App Installer URI scheme for malware delivery. Since mid-November 2023, Microsoft observed Storm-1113 delivering EugenLoader through search advertisements mimicking the Zoom app. The malicious MSIX installer was used to deliver additional payloads including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (NetSupport RAT), Sectop RAT, and Lumma stealer. Microsoft also reported that Storm-1674 used malicious installers and landing page frameworks provided by Storm-1113. Multiple sources in the content associate Storm-1113/FakeBat with MSIX package abuse. Splunk and related telemetry references state that FakeBat (Storm-1113) has leveraged MSIX packages for malware delivery. Red Canary reported a cluster from July to December 2023 that Microsoft research suggested overlaps or aligns with Storm-1113; that cluster used Advanced Installer-created MSIX files, AiStub.exe, and StartingScriptWrapper.ps1 to execute malicious PowerShell, and delivered ArechClient2/RedLine stealer and a DLL sideloading payload consistent with GHOSTPULSE. The same cluster used GPG decryption tools and tar decompression in a manner consistent with FakeBat, and FakeBat had previously been used in MSIX packages to distribute additional payloads including IcedID. The content also states that Storm-1113 has used Lumma Stealer in campaigns, and Microsoft lists Storm-1113 among ransomware threat actors observed using Lumma. Overall, the supporting content consistently characterizes Storm-1113 as a financially motivated malware delivery and access activity cluster centered on malvertising/search-ad lures, malicious MSIX installers, and follow-on delivery of stealers, loaders, RATs, and other payloads.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a threat actor/activity cluster leveraging MSIX package abuse.
Microsoft-tracked activity cluster described as a ransomware group that has used LummaStealer in campaigns.
Referenced as a threat actor/activity cluster leveraging MSIX packages for malware delivery.
Observed in threat campaigns abusing MSIX packages.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.