1. Home
  2. Groups
  3. Storm-0501

Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]

ID: G1053
Version: 1.0
Created: 19 October 2025
Last Modified: 24 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Storm-0501 has utilized an obfuscated version of the Active Directory reconnaissance tool ADRecon.ps1 (obfs.ps1 or recon.ps1) to discover domain accounts.[2]
.004 Account Discovery: Cloud Account

Storm-0501 has conducted enumeration of users, roles, and resources within victim Azure tenants using the tool Azurehound.[3]
Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

Storm-0501 has reset the password of identified administrator accounts that lack MFA and registered their own MFA method.[3]
.003 Account Manipulation: Additional Cloud Roles

Storm-0501 has elevated their access to Azure resources using Microsoft.Authorization/elevateAccess/action and Microsoft.Authorization/roleAssignments/write operations to gain User Access Administrator and Owner Azure roles over the victims’ Azure subscriptions.[3]
Enterprise T1110 Brute Force

Storm-0501 has leveraged brute force attacks to obtain credentials.[2]
Enterprise T1580 Cloud Infrastructure Discovery

Storm-0501 has enumerated compromised cloud environments to identify critical assets, data stores, and back resources.[3]
Enterprise T1526 Cloud Service Discovery

Storm-0501 has discovered the victim environment’s protections to include Azure policies, resource locks, and Azure Storage immutability policies.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Storm-0501 has leveraged PowerShell to execute commands and scripts.[2][3]
.009 Command and Scripting Interpreter: Cloud API

Storm-0501 has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments.[3]
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.[2]
.006 Credentials from Password Stores: Cloud Secrets Management Stores

Storm-0501 has utilized Azure Key Vault to store the encryption key using the operation Microsoft.KeyVault/Vaults/write.[3]
Enterprise T1485 Data Destruction

Storm-0501 has destroyed data and backup files.[3]
Enterprise T1486 Data Encrypted for Impact

Storm-0501 has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0 and Embargo ransomware.[3]
Enterprise T1530 Data from Cloud Storage

Storm-0501 had modified Azure Storage account resources through the Microsoft.Storage/storageAccounts/write operation to expose non-remotely accessible accounts for data exfiltration.[3]
Enterprise T1587 .003 Develop Capabilities: Digital Certificates

Storm-0501 has utilized their own self-signed TLS certificate "Microsoft IT TLS CA 5" with their infrastructure.[4]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Storm-0501 distributed Group Policy Objects to tamper with security products.[2]
.002 Domain or Tenant Policy Modification: Trust Modification

Storm-0501 created a new federated domain within the victim Microsoft Entra tenant using Global Administrator level access to establish a persistent backdoor for later use.[2][3]
Enterprise T1482 Domain Trust Discovery

Storm-0501 has used Windows native utility Nltest nltest.exe for discovery.[2]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Storm-0501 has exfiltrated stolen data to the MEGA file sharing site.[4] Storm-0501 has also utilized Rclone to exfiltrate data from victim environments to cloud storage such as MegaSync.[2] Storm-0501 has exfiltrated data to their own infrastructure utilizing AzCopy Command-Line tool (CLI).[3]
Enterprise T1190 Exploit Public-Facing Application

Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).[2]
Enterprise T1657 Financial Theft

Storm-0501 has engaged in double-extortion ransomware, exfiltrating data and directly contacting victims when the primary organization refuses to pay along with posting data on their data leak sites.[1][3][4]
Enterprise T1490 Inhibit System Recovery

Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration.[3] Storm-0501 has also impacted Azure resources through the targeting of Microsoft.Compute/snapshots/delete,
Microsoft.Compute/restorePointCollections/delete,
Microsoft.Storage/storageAccounts/delete, and
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete.[3]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Storm-0501 has utilized Rclone masqueraded as svhost.exe and scvhost.exe.[2]
Enterprise T1556 .009 Modify Authentication Process: Conditional Access Policies

Storm-0501 has registered their own MFA method, and leveraged a victim hybrid joined server to circumvent Conditional Access Policies.[3]
Enterprise T1578 .003 Modify Cloud Compute Infrastructure: Delete Cloud Instance

Storm-0501 has conducted mass deletion of cloud data stores and resources from Azure subscriptions.[3]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Storm-0501 has used Themida to pack Cobalt Strike payloads.[4]
Enterprise T1588 .006 Obtain Capabilities: Vulnerabilities

Storm-0501 has obtained capabilities to exploit N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).[2]
Enterprise T1003 OS Credential Dumping

Storm-0501 has used the SecretsDump module within Impacket can perform credential dumping to obtain account and password information.[2]
.006 DCSync

Storm-0501 has utilized DCSync to extract credentials from victims.[3]
Enterprise T1057 Process Discovery

Storm-0501 has discovered running processes through tasklist.exe.[2]
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Storm-0501 has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and Level.io.[2]
Enterprise T1021 .006 Remote Services: Windows Remote Management

Storm-0501 has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remote Management (WinRM) for remote code execution.[3]
.007 Remote Services: Cloud Services

Storm-0501 has used compromised Entra Connect Sync Server to move laterally within the victim environment.[3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Storm-0501 had used a scheduled task named "SysUpdate" that was registered via GPO on devices in the network to distribute the Embargo ransomware.[2]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Storm-0501 has detected endpoint security solutions using sc query sense and sc query windefend.[3]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Storm-0501 has launched Cobalt Strike Beacon files using regsvr32.exe.[2]
.011 System Binary Proxy Execution: Rundll32

Storm-0501 has launched Cobalt Strike Beacon files with rundll32.exe.[2]
Enterprise T1082 System Information Discovery

Storm-0501 has leveraged native Windows tools and commands such as systeminfo and open-source tools including OSQuery and ossec-win32 to query details about the endpoint.[2]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

Storm-0501 has identified system language codes on a compromised host to determine if the victim falls under a non-supported language code that is prohibited for targeting, including victims associated with Russia and other Commonwealth of Independent States (CIS) that may draw attention of law enforcement in countries where the ransomware operator or affiliates may reside/operate from.[1][4]
Enterprise T1537 Transfer Data to Cloud Account

Storm-0501 has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI.[3]
Enterprise T1552 .004 Unsecured Credentials: Private Keys

Storm-0501 has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the Microsoft.Storage/storageAccounts/listkeys/action operation.[3]
Enterprise T1078 .004 Valid Accounts: Cloud Accounts

Storm-0501 has leveraged compromised accounts to access Microsoft Entra Connect, which was used to synchronize on-premises identities and Microsoft Entra identities, allowing users to sign into both environments with the same password.[2] Storm-0501 has also used the victim Global Administrator account that lacked any registered MFA method to access victim cloud environments.[3] Storm-0501 has leveraged Storage Account Access Keys within the victim environment.[3]

Software

ID Name References Techniques
S0677 AADInternals Storm-0501 used the PowerShell module AADInternals to create a back door within the victim tenant, thus allowing for the impersonation of any user in the organization and bypassing MFA to sign in to any application to include Office 365.[2] Account Discovery: Cloud Account, Account Manipulation: Device Registration, Cloud Administration Command, Cloud Service Discovery, Command and Scripting Interpreter: PowerShell, Create Account: Cloud Account, Data from Cloud Storage, Domain or Tenant Policy Modification: Trust Modification, Exfiltration Over Alternative Protocol, Forge Web Credentials: SAML Tokens, Gather Victim Identity Information: Email Addresses, Gather Victim Network Information: Domain Properties, Modify Authentication Process: Hybrid Identity, Modify Authentication Process: Multi-Factor Authentication, Modify Registry, OS Credential Dumping: LSA Secrets, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Link, Phishing for Information: Spearphishing Link, Steal Application Access Token, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys
S0154 Cobalt Strike Storm-0501 has utilized Cobalt Strike for C2 communications and used a unique "license_id" of "666."[2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1247 Embargo Storm-0501 has used Embargo for ransomware activities.[2][3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Execution Guardrails: Mutual Exclusion, Exploitation for Privilege Escalation, File and Directory Discovery, Financial Theft, Impair Defenses: Safe Mode Boot, Indicator Removal: File Deletion, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Scheduled Task/Job: Scheduled Task, Selective Exclusion, Service Stop, System Service Discovery, System Services: Service Execution
S0357 Impacket Storm-0501 has used Impacket to extract credentials over the network and from victim devices.[2] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0039 Net Storm-0501 has used the Net utility on the Windows operating system.[2][3] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest Storm-0501 has used Windows native utility Nltest, e.g. nltest.exe, for discovery.[2] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S1040 Rclone Storm-0501 has utilized Rclone for data exfiltration.[2] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery
S0057 Tasklist Storm-0501 discovered running processes through tasklist.exe.[2] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References

  1. Avertium. (2022, January 11). An In-Depth Look at Ransomware Gang, Sabbath. Retrieved October 19, 2025.
  2. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
  1. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  2. Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.