Storm-0501 has been leveraging cloud-native capabilities for data exfiltration and deletion, without deploying file-encrypting malware.
August 29, 2025 By Ionut Arghire
The financially motivated threat actor tracked as Storm-0501 has shifted focus on targeting cloud environments for data theft and extortion, Microsoft warns.
Active since at least 2021, Storm-0501 is known for using various ransomware families in attacks against on-premise and hybrid cloud environments, including Sabbath, Alphv/BlackCat, Hive, Hunters International, LockBit, and Embargo.
Last year, the hacking group was seen compromising Active Directory environments, moving to Entra ID, escalating privileges to global administrator, implanting backdoors in Entra ID tenant configurations, and deploying on-premises ransomware for file encryption.
