Skip to main content
Mallory
Back to threat actors
Financially Motivated10 malware familiesExploits CVEs in the wild

Storm-1811

Also known asCURLY SPIDERStorm-1811

Storm-1811 is a financially motivated cybercriminal group tracked by Microsoft. The provided content states that Microsoft has linked Storm-1811 to Black Basta ransomware deployment and observed it abusing Microsoft Teams and Quick Assist in 2024 to impersonate IT support personnel and socially engineer victims into granting remote access. Known aliases in the content are Curly Spider and Storm-1811. Reported tradecraft in the provided content includes registering Microsoft 365 tenants with generic support-themed display names such as "Help Desk," "Help Desk IT," "Help Desk Support," and "IT Support"; contacting targets over Microsoft Teams; prompting users to execute downloaded software and payloads through social engineering; and using Quick Assist for remote access. Additional behaviors directly mentioned include use of multiple batch scripts during initial access and follow-on activity, creation of Windows Registry Run keys to execute batch scripts for persistence, local staging of captured credentials for later manual exfiltration, use of whoami.exe to determine whether the active user has administrator privileges, acquisition of legitimate and malicious tooling including remote monitoring and management software and commodity malware packages, distribution of password-protected ZIP archives, and use of SSH-related activity mapped to ATT&CK T1021.004. The content also states that Storm-1811 disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7-Zip installation package, and XOR-encoded a Cobalt Strike installation payload in a DLL that was decoded with a hardcoded key when invoked by a legitimate 7-Zip installation process. Public reporting cited in the content says Storm-1811 activity timing aligned with 3AM ransomware activity. The content does not provide a nation-state attribution.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

57 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics80 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1592
Gather Victim Host Information
T1598
Phishing for Information
T1598.004×2
Spearphishing Voice
TA0042
Resource Development
2 techniques
T1588
Obtain Capabilities
T1588.002×2
Tool
T1608
Stage Capabilities
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1566×2
Phishing
T1566.001×2
Spearphishing Attachment
T1566.003×4
Spearphishing via Service
TA0002
Execution
5 techniques
T1059
Command and Scripting Interpreter
T1059.001×9
PowerShell
T1059.003×4
Windows Command Shell
T1072
Software Deployment Tools
T1129
Shared Modules
T1204×2
User Execution
T1204.002×6
Malicious File
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
4 techniques
T1037
Boot or Logon Initialization Scripts
T1078×2
Valid Accounts
T1112×3
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1037
Boot or Logon Initialization Scripts
T1078×2
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
9 techniques
T1027×4
Obfuscated Files or Information
T1027.013
Encrypted/Encoded File
T1036×3
Masquerading
T1036.003
Rename Legitimate Utilities
T1036.005
Match Legitimate Resource Name or Location
T1078×2
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.007
Msiexec
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1574
Hijack Execution Flow
T1574.001
DLL
T1622
Debugger Evasion
TA0112
Defense Impairment
2 techniques
T1112×3
Modify Registry
T1553
Subvert Trust Controls
T1553.002×2
Code Signing
TA0006
Credential Access
2 techniques
T1187
Forced Authentication
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0007
Discovery
11 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1033
System Owner/User Discovery
T1057
Process Discovery
T1069
Permission Groups Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1518
Software Discovery
T1614
System Location Discovery
T1614.001
System Language Discovery
T1622
Debugger Evasion
TA0008
Lateral Movement
2 techniques
T1021×5
Remote Services
T1021.002×3
SMB/Windows Admin Shares
T1021.004
SSH
T1072
Software Deployment Tools
TA0009
Collection
3 techniques
T1074
Data Staged
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
T1560
Archive Collected Data
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.004
DNS
T1090
Proxy
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
T1568
Dynamic Resolution
T1572×2
Protocol Tunneling
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
A0BackdoorFive months later in March this year, BlueVoyant published the forensics on a related campaign that drops a previously undocumented payload called A0Backdoor and judged it “an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang...”7May 28, 2026
Black BastaStorm-1811, Microsoft’s analysts wrote, “is a financially motivated cybercriminal group known to deploy BlackBasta ransomware”...6May 28, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.4May 6, 2026
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
QakBotIn several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment.2Apr 30, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

40 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

40 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
ismsNews
May 28, 2026
When The Help Desk Is The Threat - ISMS.online

Financially motivated cybercriminal group abusing Microsoft Teams and Quick Assist for social-engineering-based initial access and associated with deployment of Black Basta ransomware.

Read more
esentire blogNews
May 28, 2026
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT | eSentire

Referenced as part of publicly reported activity aligned with the surge in Microsoft Teams-based social-engineering intrusions.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
+194 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping57

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables40

Domains, IPs, and hashes tied to this actor, refreshed continuously.