SYMBOLCOMMON_NAMEaka. SYNONYMS

Storm-0249  (Back to overview)

aka: DEV-0249

Storm-0249 is an access broker active since 2021, known for distributing BazaLoader, IcedID, Bumblebee, and Emotet malware. The actor primarily employs phishing emails to deliver malware payloads, as evidenced by a campaign involving tax-themed emails that aimed to distribute BRc4 and Latrodectus malware. Storm-0249 has facilitated initial access for other threat actors, such as Storm-0501, by leveraging compromised credentials and exploiting known vulnerabilities in public-facing servers. Microsoft has detected malicious PDF attachments associated with Storm-0249's phishing campaigns.


Associated Families
js.gootloader

References
2025-04-24MandiantMandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC
2025-04-03MicrosoftMicrosoft Threat Intelligence
Threat actors leverage tax season to deploy tax-themed phishing campaigns
Brute Ratel C4 CloudEyE Latrodectus Remcos Storm-0249
2025-03-31GootLoader Wordpressgootloadersites
Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
GootLoader
2025-02-28KrebsOnSecurityBrian Krebs
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
FAKEUPDATES GootLoader
2024-11-21IntrinsecCTI Intrinsec, Intrinsec
PROSPERO & Proton66: Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader
2024-11-20IntrinsecEquipe CTI
PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware Pikabot
2024-11-06SophosAsha Castle, Hikaru Koike, Sean Gallagher, Trang Tang
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign
GootLoader
2024-11-01Googleandy2002a
Finding Malware: Detecting GOOTLOADER with Google Security Operations.
GootLoader
2024-09-18Twitter (@MsftSecIntel)Microsoft
Tweet about threat actor Vanilla Tempest
INC GootLoader Storm-0494
2024-08-20Intel 471Intel 471
Threat Hunting Case Study: Tracking Down GootLoader
GootLoader
2024-06-24GootLoader Wordpressgootloadersites
Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’ Shadows
GootLoader
2024-05-13Malsada TechAaron Samala
Gootloader Isn’t Broken
GootLoader
2024-02-26The DFIR ReportThe DFIR Report
SEO Poisoning to Domain Control: The Gootloader Saga Continues
GootLoader
2024-02-14GootLoader Wordpressgootloadersites
My-Game Retired? Latest Changes to Gootloader
GootLoader
2023-12-09Github (struppigel)Karsten Hahn
AST based GootLoader unpacker, C2 extractor and deobfuscator
GootLoader
2023-11-07SOCRadarSOCRadar
New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
GootLoader Cobalt Strike UNC2565
2023-11-06Security IntelligenceGolo Mühr, Ole Villadsen
GootBot – Gootloader’s new approach to post-exploitation
GootLoader UNC2565
2023-11-02MicrosoftHeike Ritter
Monthly news - November 2023
Storm-0249 Storm-0539
2023-08-10TrustwaveRodel Mendrez
Gootloader: Why your Legal Document Search May End in Misery
GootLoader
2023-06-23KrollGeorge Glass, Keith Wojcieszek, Ryan Hicks
Deep Dive into GOOTLOADER Malware and Its Infection Chain
GootLoader
2023-06-22ReliaquestCaroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC
2023-04-26eSentireJoe Stewart, Keegan Keplinger
Gootloader Unloaded: Researchers Launch Multi-Pronged Offensive Against Gootloader, Cutting Off Traffic to Thousands of Gootloader Web Pages and Using the Operator’s Very Own Tactics to Protect End-Users
GootLoader
2023-02-14CybereasonCybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-01-26MandiantAndy Morales, Govand Sinjari
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
GootLoader UNC2565
2023-01-12eSentireeSentire
Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity
GootLoader
2023-01-09TrendmicroFe Cureg, Hitomi Kimura, Ryan Maglaque, Trent Bessell
Gootkit Loader Actively Targets Australian Healthcare Industry
GootLoader GootKit
2023-01-05gootloadersites
What is Gootloader?
GootLoader
2023-01-05gootloadersites
Gootloader Command & Control
GootLoader
2022-12-07eSentireeSentire Threat Response Unit (TRU)
GootLoader Striking with a New Infection Technique
GootLoader
2022-07-20NVISO LabsSasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike
2022-07-14BlackberryThe BlackBerry Research & Intelligence Team
GootLoader, From SEO Poisoning to Multi-Stage Downloader
GootLoader
2022-06-05Dino HacksNiranjan Hegde
Loading GootLoader
GootLoader
2022-05-12Red CanaryLauren Podber, Tony Lambert
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike
2022-05-12Red CanaryLauren Podber, Tony Lambert
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike
2022-05-09The DFIR ReportThe DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-05-04HPPatrick Schläpfer
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
GootLoader
2022-02-26MandiantMandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2021-08-25RiskIQJordan Herman
EITest: Linkages to the Ongoing Malware Delivery Campaign Referred to as "Gootloader"
GootLoader
2021-08-12SophosAndrew Brandt, Gabor Szappanos
Gootloader’s “mothership” controls malicious content
GootLoader
2021-06-16SentinelOneAntonio Pirozzi
Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets
GootLoader

Credits: MISP Project