Home/ Threat Actors/ Storm-0501

🌐Storm-0501

🌐 Storm-0501 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 42 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1053) ↗

14Use cases

0Articles

42Techniques

0IOCs

About this actor (MITRE)

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, [BlackCat](https://attack.mitre.org/software/S1068), Hunters International, [LockBit 3.0](https://attack.mitre.org/software/S1202), and [Embargo](https://attack.mitre.org/software/S1247) ransomware.(Citation: Avertium Stor

Known aliases

Storm-0501

Top techniques

T1003 · OS Credential Dumping T1003.006 · DCSync T1021.006 · Windows Remote Management

All other tracked techniques

T1021.007 · Cloud Services T1027.002 · Software Packing T1036.004 · Masquerade Task or Service T1053.005 · Scheduled Task T1057 · Process Discovery T1059.001 · PowerShell T1059.009 · Cloud API T1078.004 · Cloud Accounts T1082 · System Information Discovery T1087.002 · Domain Account T1087.004 · Cloud Account T1098.001 · Additional Cloud Credentials T1098.003 · Additional Cloud Roles T1110 · Brute Force T1190 · Exploit Public-Facing Application T1218.010 · Regsvr32 T1218.011 · Rundll32 T1219.002 · Remote Desktop Software T1482 · Domain Trust Discovery T1484.001 · Group Policy Modification T1484.002 · Trust Modification T1485 · Data Destruction T1486 · Data Encrypted for Impact T1490 · Inhibit System Recovery T1518.001 · Security Software Discovery T1526 · Cloud Service Discovery T1530 · Data from Cloud Storage T1537 · Transfer Data to Cloud Account T1552.004 · Private Keys T1555.005 · Password Managers T1555.006 · Cloud Secrets Management Stores T1556.009 · Conditional Access Policies T1567.002 · Exfiltration to Cloud Storage T1578.003 · Delete Cloud Instance T1580 · Cloud Infrastructure Discovery T1587.003 · Digital Certificates T1588.006 · Vulnerabilities T1614.001 · System Language Discovery T1657 · Financial Theft

Detection use cases (14)

Storm-0501 Entra ID federated-domain backdoor (Golden SAML pivot) AI · profile SΣ Storm-0501 AAD Connect Sync (MSOL_/Sync_) account abuse from non-Connect host AI · profile S 1Password failed sign-in burst MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match Abnormal Security: brute-force attack detected MITRE match Abnormal Security: login from new location MITRE match