Home/ Threat Actors/ Storm-1811

🌐Storm-1811

🌐 Storm-1811 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 31 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1046) ↗

14Use cases

0Articles

31Techniques

0IOCs

About this actor (MITRE)

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedC

Known aliases

Storm-1811

Top techniques

T1021.002 · SMB/Windows Admin Shares T1021.004 · SSH T1027.013 · Encrypted/Encoded File

All other tracked techniques

T1033 · System Owner/User Discovery T1036 · Masquerading T1036.005 · Match Legitimate Resource Name or Location T1036.010 · Masquerade Account Name T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1056 · Input Capture T1059.001 · PowerShell T1059.003 · Windows Command Shell T1074.001 · Local Data Staging T1087.002 · Domain Account T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1204.002 · Malicious File T1219.002 · Remote Desktop Software T1222.001 · Windows Permissions T1482 · Domain Trust Discovery T1486 · Data Encrypted for Impact T1547.001 · Registry Run Keys / Startup Folder T1566.002 · Spearphishing Link T1566.003 · Spearphishing via Service T1566.004 · Spearphishing Voice T1570 · Lateral Tool Transfer T1574.001 · DLL T1583.001 · Domains T1585.003 · Cloud Accounts T1588.002 · Tool T1667 · Email Bombing T1684.001 · Impersonation

Detection use cases (14)

Storm-1811 / Black Basta — Quick Assist (quickassist.exe) spawning LOLBins or scripting hosts AI · profile SΣ Storm-1811 email-bomb followed by remote-support tool launch on the bombed user's device AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match