Skip to main content
Mallory
Back to threat actors
3 malware families

Storm-0494

Also known asStorm-0494

Storm-0494 is a threat actor associated with GootLoader/Gootloader intrusions and initial access operations. Microsoft reported that Storm-0494 often takes over from GootLoader infections and provides access to another threat group, Vanilla Tempest. In the reported activity, Storm-0494 infected victim systems with the Gootloader malware downloader, after which follow-on intrusion activity included deployment of the Supper backdoor, also known as SocksShell or ZAPCAT, and use of AnyDesk for remote access. Huntress attributed multiple October 2025 intrusions to Storm-0494 working in partnership with Vanilla Tempest (aka Rhysida), describing Storm-0494 as handling Gootloader operations and initial access before handing victims off for post-exploitation and ransomware deployment. Related reporting states that attack chains involving Storm-0494/GootLoader access have led to ransomware deployments including INC, Rhysida, BlackCat, Zeppelin, and Quantum Locker. The content does not provide additional confirmed aliases for Storm-0494 beyond the name Storm-0494.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Health Care Equipment & Services

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0011
Command and Control
2 techniques
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
GootloaderDuring the attack, Vanilla Tempest gained network access through the Storm-0494 threat actor, who infected the victim's systems with the Gootloader malware downloader.3May 26, 2026
INC RansomwareMicrosoft revealed on Wednesday that its threat analysts have observed the financially motivated Vanilla Tempest threat actor using INC ransomware for the first time in an attack on the U.S. healthcare sector.1May 26, 2026
SupperStorm-0494 deploys backdoors like Supper (SocksShell or ZAPCAT) and AnyDesk for remote access, further compromising networks.1May 26, 2026
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Nov 11, 2025
GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

Operates the initial GootLoader infection/access stage that is later handed off to other actors (e.g., Vanilla Tempest).

Read more
cyberwarzoneNews
Nov 11, 2025
GootLoader Returns with Novel WOFF2 Font Obfuscation and WordPress Exploits - Cyberwarzone

Follows GootLoader intrusions to further compromise networks, deploying remote access backdoors and enabling attack chains that often culminate in ransomware deployment.

Read more
register securityNews
Nov 6, 2025
Gootloader malware back for the attack, serves up ransomware

Operates Gootloader for initial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware deployment.

Read more
scworldNews
Nov 6, 2025
New Gootloader attacks drop Supper SOCKS5 backdoor

Uses Gootloader as an initial access mechanism and brokers/feeds that access to another group (Vanilla Tempest) for follow-on operations leading to ransomware deployment.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.