Skip to main content
Mallory
Back to threat actors
11 malware familiesExploits CVEs in the wild

Storm-0506

Also known asStorm-0506

Storm-0506 is a Microsoft-tracked, financially motivated ransomware operator associated with Black Basta ransomware deployment. Microsoft observed Storm-0506 in intrusions that culminated in Black Basta deployment, including a North American engineering firm where initial access was obtained via Qakbot, followed by exploitation of CVE-2023-28252 for privilege escalation, use of Cobalt Strike and Pypykatz to steal domain administrator credentials, lateral movement to domain controllers, persistence via custom tools and SystemBC, attempted RDP brute forcing, and use of PsExec to encrypt non-ESXi devices. Microsoft also observed Storm-0506 exploiting CVE-2024-37085 on domain-joined VMware ESXi environments by creating the "ESX Admins" Active Directory group and adding a user to obtain full administrative access, enabling ESXi filesystem encryption and disruption of hosted virtual machines. Microsoft reported that this post-compromise technique has led to Akira and Black Basta ransomware deployments by Storm-0506 and other ransomware operators. Storm-0506 has also been linked to handoffs from access broker Storm-0569; in one observed case, Storm-0569’s BATLOADER infection chain led to Cobalt Strike Beacon deployment, Rclone data exfiltration, and subsequent Black Basta ransomware deployment by Storm-0506. One mention context also states Storm-0506 targeted enterprise collaboration tools in past espionage campaigns, but the supporting content primarily characterizes the actor as a ransomware operator. Known alias in the provided content: storm_0506.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • engineering
ARSENAL

Associated malware families

11 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Black BastaRansomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...2Mar 18, 2026
Akira"...the use of this technique has led to Akira and Black Basta ransomware deployments."1Mar 18, 2026
Babuk"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."1Mar 18, 2026
Cobalt Strike"The threat actor then used Cobalt Strike and Pypykatz..."1Mar 18, 2026
Kuiper"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."1Mar 18, 2026

6 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2023-28252Windows Common Log File System Driver Elevation of Privilege VulnerabilityIn the wildEvidence1

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices.

CVE-2024-37085VMware ESXi Active Directory Integration Authentication BypassIn the wildEvidence1

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation... VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default.

CVE-2025-53770ToolShell unauthenticated RCE in Microsoft SharePoint ServerIn the wildEvidence1

A newly disclosed vulnerability, CVE-2025-53770, affecting on-premises Microsoft SharePoint Server, enables unauthenticated remote code execution (RCE) through insecure deserialization of untrusted data... Microsoft has confirmed that public exploits are available and actively being used by threat actors.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
huntio blogNews
Jul 31, 2025
Hypervisor Ransomware: CVE-2024-37085, AD Abuse, and the Escalating Threat to VMware ESXi Environments

Activity cluster observed using CVE-2024-37085 in an ESXi/AD context to enable deployment of Black Basta ransomware.

Read more
foresiet blogNews
Jul 23, 2025
CVE-2025-53770: A Critical SharePoint RCE Threat Exploited in the Wild

Cited as a possible actor based on historical TTPs; previously associated (per the article) with targeting enterprise collaboration tools in espionage-oriented activity, and potentially relevant to SharePoint exploitation of CVE-2025-53770.

Read more
picus security blogNews
Aug 2, 2024
August 2024: Latest Malware, Vulnerabilities and Exploits

Storm-0506 is involved in ransomware campaigns exploiting VMware ESXi authentication bypass vulnerabilities to deploy Akira and Black Basta ransomware, leading to data theft and operational disruption.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal11

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.