HOMETHREATSStorm-2949
APT / THREAT GROUP

Storm-2949

1
aliases
Last seen:Jun 5, 2026

Intelligence Profile

Storm-2949 is a sophisticated threat actor that exploited Microsoft’s Self-Service Password Reset process to compromise high-value accounts, primarily targeting IT personnel and senior leadership. They leveraged Azure tools and APIs to conduct reconnaissance, exfiltrate sensitive data from Microsoft 365 applications, and manipulate Azure resources, including Key Vaults and SQL databases. The actor employed social engineering tactics to bypass MFA and utilized custom Python scripts for directory discovery and data exfiltration. Their operations included lateral movement across cloud and endpoint environments while mimicking legitimate administrative behavior.

Threat Analysis

Storm-2949 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning Storm-2949

External References

Quick Facts

TypeAPT / Threat Group
Aliases1
SourceMalpedia

Also Known As

Storm-2949

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.