G1053 Ransomwareour call,
not MITRE’s ATT&CK Group

Storm-0501

How MITRE ATT&CK characterizes this group¹: Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Read this as · tier is our editorial call, not MITRE’s

Read as a crew that turns access into an outage.

A ransomware classification means the path is funded to reach disruption and extortion — encryption, data theft for leverage, and downtime. Exposure here is a business-continuity problem, not just a patch ticket. All tradecraft below is sourced to MITRE ATT&CK.

Techniques

ATT&CK count¹

Named tools / malware

ATT&CK count²

Attributed campaigns

ATT&CK count¹

Tactics spanned

ATT&CK count¹

coverage gap

Activity bounds

no attributed campaign

Known for

— signature moves, each sourced to ATT&CK

ArsenalNamed tooling. ATT&CK attributes 8 tools/malware to this group, including Net, Tasklist, Cobalt Strike, Impacket.⁴⁵

ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 5 — Lights out — disruption & extortion. (editorial mapping over ATT&CK tactics).

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door

2Keys to the kingdom

3Lateral reach

4Data at risk

5Lights out

T1003 OS Credential DumpingCredential Access

●

T1003.006 DCSyncCredential Access

●

T1021.006 Windows Remote ManagementLateral Movement

●

T1021.007 Cloud ServicesLateral Movement

●

T1027.002 Software PackingDefense Evasion

T1036.004 Masquerade Task or ServiceDefense Evasion

T1053.005 Scheduled TaskExecution / Persistence / Privilege Escalation

●

T1057 Process DiscoveryDiscovery

T1059.001 PowerShellExecution

●

T1059.009 Cloud APIExecution

●

T1078.004 Cloud AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1082 System Information DiscoveryDiscovery

T1087.002 Domain AccountDiscovery

T1087.004 Cloud AccountDiscovery

T1098.001 Additional Cloud CredentialsPersistence / Privilege Escalation

●

T1098.003 Additional Cloud RolesPersistence / Privilege Escalation

●

T1110 Brute ForceCredential Access

●

T1190 Exploit Public-Facing ApplicationInitial Access

●

T1218.010 Regsvr32Defense Evasion

T1218.011 Rundll32Defense Evasion

T1219.002 Remote Desktop SoftwareCommand & Control

T1482 Domain Trust DiscoveryDiscovery

T1484.001 Group Policy ModificationPrivilege Escalation / Defense Evasion

●

T1484.002 Trust ModificationPrivilege Escalation / Defense Evasion

●

T1485 Data DestructionImpact

●

T1486 Data Encrypted for ImpactImpact

●

T1490 Inhibit System RecoveryImpact

●

T1518.001 Security Software DiscoveryDiscovery

T1526 Cloud Service DiscoveryDiscovery

T1530 Data from Cloud StorageCollection

●

T1537 Transfer Data to Cloud AccountExfiltration

●

T1552.004 Private KeysCredential Access

●

T1555.005 Password ManagersCredential Access

●

T1555.006 Cloud Secrets Management StoresCredential Access

●

T1556.009 Conditional Access PoliciesPersistence / Defense Evasion / Credential Access

●

T1567.002 Exfiltration to Cloud StorageExfiltration

●

T1578.003 Delete Cloud InstanceDefense Evasion

T1580 Cloud Infrastructure DiscoveryDiscovery

T1587.003 Digital CertificatesResource Development

T1588.006 VulnerabilitiesResource Development

T1614.001 System Language DiscoveryDiscovery

T1657 Financial TheftImpact

●

Reach: this actor’s cited techniques light columns 1·2·3·4·5 — furthest is 5 · Lights out. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcome

Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.¹

Arsenal

— named tools & malware ATT&CK attributes to this group

NetS0039 · Tool

ATT&CK S0039 ↗

TasklistS0057 · Tool

ATT&CK S0057 ↗

Cobalt StrikeS0154 · Malware

ATT&CK S0154 ↗

ImpacketS0357 · Tool

ATT&CK S0357 ↗

NltestS0359 · Tool

ATT&CK S0359 ↗

AADInternalsS0677 · Tool

ATT&CK S0677 ↗

RcloneS1040 · Tool

ATT&CK S1040 ↗

EmbargoS1247 · Malware

ATT&CK S1247 ↗

Campaign highlights

— attributed operations in the ATT&CK record

No attributed campaigns — coverage gap

Stated, not hidden

ATT&CK lists no first-class campaign object for G1053 at this snapshot. Public reporting may tie this actor to operations; those enter only with a named advisory under the same cite-or-die rule.

Latest activity

— with explicit confidence, and what we cannot yet claim

ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted

CVE ↔ actor bridge: no confirmed CVE link is established for this group. ATT&CK provides no first-class group→CVE relationship, so this card does not claim specific CVEs as “exploited by this actor” unless a named advisory says so. Absence of a CVE here is a coverage gap, never a clean bill — confirmed links surface as a cited, linked list as the advisory bridge grows.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

Group identity, aliases, description — MITRE ATT&CK group page

42 techniques — ATT&CK technique pages (linked per row)

8 software (arsenal) — ATT&CK software pages

4 third-party research citations — ATT&CK external references

Coverage gaps — stated, not hidden

Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.

Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.

Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.

Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.

ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.

No attributed ATT&CK campaign object — activity bounds cannot be established.