>samit_hota
Back to adversary profiles
G1046HighActive

Storm-1811: Financially Motivated Ransomware Affiliate

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Healthcare, Financial Services, Professional Services, Manufacturing, Construction, Food and Beverage, Transportation, Unspecified
Associated Malware
Black Basta, QakBot, Cobalt Strike, SystemBC, EvilProxy, Quick Assist, ScreenConnect, NetSupport Manager, AnyDesk, Impacket, PsExec, OpenSSH
#threat-actor#g1046

Overview

Storm-1811, identified by MITRE ATT&CK as G1046, is a persistent and highly effective financially-motivated cybercriminal group primarily associated with the deployment of Black Basta ransomware. This threat actor distinguishes itself through sophisticated and unique social engineering tactics, often leveraging a manufactured technical problem to gain initial access to victim environments. Unlike groups that rely solely on technical exploits, Storm-1811 excels at manipulating individuals, demonstrating strong confidence and language skills in their interactions. They operate as an initial access broker (IAB) or affiliate within the ransomware-as-a-service (RaaS) model, specializing in gaining that critical initial foothold, which they then exploit to deploy ransomware or sell access to other Black Basta operators.

Their operations have been consistently observed since at least mid-April 2024 and show no signs of abating, with reports of continued activity into 2025 and late 2024. Storm-1811’s targets are broad and appear to be largely opportunistic, spanning various sectors including healthcare, financial services, professional services, manufacturing, construction, food and beverage, and transportation. Any organization with a help desk and employees accustomed to IT support interactions is a potential target, underscoring the pervasive nature of their social engineering approach. Recent observations also suggest a targeted approach towards executive-level employees, particularly those with female-sounding names, within specific financial, professional, scientific, and technical services sectors.

Tactics & Techniques

Storm-1811’s initial access methods are highly refined, revolving around elaborate social engineering schemes. The group frequently initiates its attacks with “email bombing,” a tactic where they flood a victim’s inbox with a deluge of non-malicious spam or subscription-related emails. This engineered disruption then provides a pretext for a follow-up “vishing” (voice phishing) attack, where Storm-1811 impersonates IT support or help desk personnel. Their goal is to offer assistance in resolving the fabricated spam issue, thereby building trust and coercing the victim into granting remote access to their device.

Beyond traditional vishing, Storm-1811 has also adapted their social engineering to leverage modern collaboration platforms. Since at least May 2024, they have been observed using Microsoft Teams to send messages and initiate calls, spoofing IT support identities to interact with targets. In these interactions, the threat actors persuade users to enable legitimate remote access tools like Microsoft Quick Assist, AnyDesk, TeamViewer, or ScreenConnect. Once remote control is established, often under the guise of installing “spam filter updates” or performing system fixes, Storm-1811 proceeds to download various malicious payloads via scripted curl commands, often delivered as batch files or password-protected ZIP archives. They may also employ EvilProxy-based phishing sites to harvest credentials.

Post-compromise, Storm-1811 employs a range of techniques for persistence, privilege escalation, discovery, and lateral movement. For persistence, they have been observed creating Windows Registry Run keys, establishing SSH tunnels using OpenSSH, and deploying tools like NetSupport Manager as a persistent remote monitoring and management (RMM) backdoor. In a notable evolution of their techniques, a March 2025 campaign potentially linked to Storm-1811 or a splinter group, involved hijacking the Windows Type Library (TypeLib) to redirect Component Object Model (COM) objects to malicious files for persistence. They perform domain account enumeration (T1087.002) to discover sensitive accounts and groups, and utilize whoami.exe to check for administrator privileges. Lateral movement often involves tools like Impacket over SMB and PsExec for remote execution, further entrenching their presence within the network. They also stage captured credentials locally and exfiltrate them via Secure Copy Protocol (SCP).

Notable Campaigns

Storm-1811’s activity has been consistently tracked since mid-April 2024, when Microsoft Threat Intelligence first documented their misuse of Quick Assist in social engineering attacks leading to Black Basta ransomware. Throughout 2024, Microsoft continued to document extensive campaigns targeting thousands of organizations across various sectors, highlighting the group’s widespread impact.

A significant shift in their operational tactics was observed at the end of May 2024, when Storm-1811 began actively using Microsoft Teams as an additional vector for their vishing and social engineering attempts. They created malicious Teams accounts impersonating internal IT or help desk personnel, initiating messages and voice calls to persuade users to grant remote access. Microsoft has since taken steps to mitigate this by suspending identified malicious accounts and tenants.

More recently, in March 2025, security researchers observed a campaign exhibiting Storm-1811’s initial access patterns, but with a novel persistence technique involving Windows Type Library hijacking. This suggests either an evolution in Storm-1811’s capabilities or the emergence of a closely related or splinter group utilizing their established playbook. Red Canary also noted an uptick in Storm-1811 activity in late 2024, reinforcing the group’s ongoing and adaptive nature.

Associated Malware & Tools

Storm-1811 employs a diverse arsenal of legitimate and commodity malicious tools, reflecting a pragmatic approach to achieving their objectives. Their most prominent associated malware is the Black Basta ransomware, which is the ultimate payload for their financially motivated operations.

Beyond the ransomware, their toolkit includes:

  • Initial Access & Remote Control: Legitimate remote monitoring and management (RMM) tools are central to their initial access strategy. This includes Microsoft Quick Assist (a favored tool for its default presence on Windows systems), AnyDesk, ScreenConnect, and NetSupport Manager. These are typically installed by the victim under false pretenses. They also distribute malicious links that redirect to EvilProxy-based phishing sites for credential harvesting.
  • Loaders & Backdoors: QakBot (also known as Qbot) has been a significant component of their attacks, often used as a malware loader to deliver further payloads. They also utilize SystemBC, a commodity remote access trojan (RAT) and proxy tool, for command and control (C2) and persistence.
  • Post-Exploitation Frameworks: Cobalt Strike is a key post-exploitation framework employed for reconnaissance, lateral movement, and establishing beacons for C2.
  • Living-off-the-Land (LotL) Tools & Utilities: Storm-1811 makes extensive use of built-in Windows utilities and scripting languages. This includes PowerShell and Windows Command Shell (batch scripts) for various tasks like creating persistence mechanisms and establishing C2 connections. They use whoami.exe for account discovery, cacls.exe for modifying permissions, and BITSAdmin for downloading payloads. For lateral movement and remote execution, they leverage Impacket (often for SMB relay attacks) and PsExec. They also use OpenSSH for establishing SSH tunnels for persistent access.

Current Status

Storm-1811 remains an active and evolving threat actor. Reports from Microsoft Threat Intelligence and Red Canary confirm ongoing campaigns throughout 2024 and into 2025. While their core methodology of social engineering for initial access remains consistent, they have shown adaptability in their communication channels, notably integrating Microsoft Teams into their vishing attacks. Furthermore, the observed novel persistence techniques in recent campaigns suggest a continuous refinement of their post-exploitation capabilities. Organizations should consider Storm-1811 a high-priority threat due to their proven ability to bypass defenses through human manipulation and their direct link to destructive ransomware deployment. Continued vigilance against social engineering, robust endpoint monitoring, and comprehensive employee awareness training are critical defenses against this group.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call