Storm-0249Storm-0249

Also known as: DEV-0249 · Storm-0249

Known aliases
2

Profile

Storm-0249 is an access broker active since 2021, known for distributing BazaLoader, IcedID, Bumblebee, and Emotet malware. The actor primarily employs phishing emails to deliver malware payloads, as evidenced by a campaign involving tax-themed emails that aimed to distribute BRc4 and Latrodectus malware. Storm-0249 has facilitated initial access for other threat actors, such as Storm-0501, by leveraging compromised credentials and exploiting known vulnerabilities in public-facing servers. Microsoft has detected malicious PDF attachments associated with Storm-0249's phishing campaigns.

Aliases· 2

DEV-0249Storm-0249

References

  1. https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
  2. https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
Storm-2949
Actor
Storm-0324
Actor
Storm-0539
Actor
Storm-0506
Actor
HIVE-0145
Actor
Storm-1674
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.