TIARAS - Storm-1811

Threat Actor Profile

High APT

Description

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)

Confidence Score

90%

Known Aliases

Storm-1811

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (31)

T1056 - Input Capture

Collection

T1074.001 - Local Data Staging

Collection

T1105 - Ingress Tool Transfer

Command and Control

T1219.002 - Remote Desktop Software

Command and Control

T1027.013 - Encrypted/Encoded File

Defense Evasion

T1036 - Masquerading

Defense Evasion

T1036.005 - Match Legitimate Resource Name or Locat…

Defense Evasion

T1036.010 - Masquerade Account Name

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1222.001 - Windows File and Directory Permissions …

Defense Evasion

T1656 - Impersonation

Defense Evasion

T1033 - System Owner/User Discovery

Discovery

T1087.002 - Domain Account

Discovery

T1482 - Domain Trust Discovery

Discovery

T1059.001 - PowerShell

Execution

T1059.003 - Windows Command Shell

Execution

T1204.002 - Malicious File

Execution

T1048.002 - Exfiltration Over Asymmetric Encrypted …

Exfiltration

T1486 - Data Encrypted for Impact

Impact

T1667 - Email Bombing

Impact

T1566.002 - Spearphishing Link

Initial Access

T1566.003 - Spearphishing via Service

Initial Access

T1566.004 - Spearphishing Voice

Initial Access

T1021.002 - SMB/Windows Admin Shares

Lateral Movement

T1021.004 - SSH

Lateral Movement

T1570 - Lateral Tool Transfer

Lateral Movement

T1547.001 - Registry Run Keys / Startup Folder

Persistence

T1574.001 - DLL

Persistence

T1583.001 - Domains

Resource Development

T1585.003 - Cloud Accounts

Resource Development

T1588.002 - Tool

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Storm-1811'],
 'created': '2025-03-14T12:48:44.771Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Storm-1811](https://attack.mitre.org/groups/G1046) is a '
                'financially-motivated entity linked to [Black '
                'Basta](https://attack.mitre.org/software/S1070) ransomware '
                'deployment. '
                '[Storm-1811](https://attack.mitre.org/groups/G1046) is '
                'notable for unique phishing and social engineering mechanisms '
                'for initial access, such as overloading victim email inboxes '
                'with non-malicious spam to prompt a fake "help desk" '
                'interaction leading to the deployment of adversary tools and '
                'capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: '
                'rapid7-email-bombing)(Citation: RedCanary Storm-1811 '
                '2024)(Citation: RedCanary June Insights 2024)',
 'external_references': [{'external_id': 'G1046',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1046'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2024, May 15). Threat actors '
                                         'misusing Quick Assist in social '
                                         'engineering attacks leading to '
                                         'ransomware. Retrieved March 14, '
                                         '2025.',
                          'source_name': 'Microsoft Storm-1811 2024',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/'},
                         {'description': 'Red Canary Intelligence. (2024, '
                                         'December 2). Storm-1811 exploits RMM '
                                         'tools to drop Black Basta '
                                         'ransomware. Retrieved March 14, '
                                         '2025.',
                          'source_name': 'RedCanary Storm-1811 2024',
                          'url': 'https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/'},
                         {'description': 'The Red Canary Team. (2024, June '
                                         '20). Intelligence Insights: June '
                                         '2024. Retrieved March 14, 2025.',
                          'source_name': 'RedCanary June Insights 2024',
                          'url': 'https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/'},
                         {'description': 'Tyler McGraw, Thomas Elkins, and '
                                         'Evan McCann. (2024, May 10). Ongoing '
                                         'Social Engineering Campaign Linked '
                                         'to Black Basta Ransomware Operators. '
                                         'Retrieved January 31, 2025.',
                          'source_name': 'rapid7-email-bombing',
                          'url': 'https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators'}],
 'id': 'intrusion-set--319fd652-edde-46b2-9987-3519493989f5',
 'modified': '2025-03-14T19:17:33.785Z',
 'name': 'Storm-1811',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Liran Ravich, CardinalOps', 'Joe Gumke, U.S. Bank'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}

Quick Actions

Related TTPs (31)

Input Capture
Collection

Local Data Staging
Collection

Ingress Tool Transfer
Command and Control

Remote Desktop Software
Command and Control

Encrypted/Encoded File
Defense Evasion

View All 31 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (31)

T1056 - Input Capture

T1074.001 - Local Data Staging

T1105 - Ingress Tool Transfer

T1219.002 - Remote Desktop Software

T1027.013 - Encrypted/Encoded File

T1036 - Masquerading

T1036.005 - Match Legitimate Resource Name or Locat…

T1036.010 - Masquerade Account Name

T1140 - Deobfuscate/Decode Files or Information

T1222.001 - Windows File and Directory Permissions …

T1656 - Impersonation

T1033 - System Owner/User Discovery

T1087.002 - Domain Account

T1482 - Domain Trust Discovery

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1204.002 - Malicious File

T1048.002 - Exfiltration Over Asymmetric Encrypted …

T1486 - Data Encrypted for Impact

T1667 - Email Bombing

T1566.002 - Spearphishing Link

T1566.003 - Spearphishing via Service

T1566.004 - Spearphishing Voice

T1021.002 - SMB/Windows Admin Shares

T1021.004 - SSH

T1570 - Lateral Tool Transfer

T1547.001 - Registry Run Keys / Startup Folder

T1574.001 - DLL

T1583.001 - Domains

T1585.003 - Cloud Accounts

T1588.002 - Tool

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (31)

Please wait…