Threat Group Profile
stormous
โ Active โ last 30 days
Victim claims
24
First seen
May 2026
Last activity
01 Jul 2026
Tracked since
โ
Group overview
Stormous is an Arabic-speaking, pro-Russian ransomware and hacktivist group active since at least 2022, known for politically motivated attacks across 15+ countries, collaborating with GhostSec on the GhostLocker 2.0 RaaS platform and inheriting GhostSec's RaaS operations in mid-2024. On 1st July 2026 the group has annonced the end of their operations & ervices
Preferred targets
Business Services ยท 4
Consumer Services ยท 4
Technology ยท 2
Education ยท 2
Financial Services ยท 2
Manufacturing ยท 1
Most targeted countries
AE ยท 2
US ยท 2
GB ยท 2
IT ยท 2
MX ยท 2
VN ยท 2
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Exploit Public-Facing Application
Trusted Relationship
Phishing
Phishing: Spearphishing Attachment
Execution
Command and Scripting Interpreter
Command and Scripting Interpreter: Visual Basic
User Execution: Malicious File
Persistence
Scheduled Task/Job
Account Manipulation
Server Software Component: Web Shell
Create or Modify System Process: Windows Service
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation
Abuse Elevation Control Mechanism: Bypass UAC
Defense Evasion
Obfuscated Files or Information
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Fileless Storage
Obfuscated Files or Information: Encrypted/Encoded File
Indicator Removal
Impair Defenses: Disable or Modify Tools
Credential Access
OS Credential Dumping
Discovery
Network Service Discovery
File and Directory Discovery
Lateral Movement
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares