Storm-0501 shifts from traditional ransomware to cloud-based extortion

Microsoft has warned that threat actor Storm-0501 has evolved its operations, moving away from on-premises ransomware encryption to focus on cloud-based attacks. Instead of deploying malware to lock files, the group now abuses native cloud features to steal data, wipe backups, and encrypt storage accounts using customer-managed keys. Victims are then pressured into paying ransoms to regain access.

Active since 2021, Storm-0501 has previously used ransomware families like Sabbath, Hive, and LockBit. However, recent campaigns show the actor targeting Microsoft Entra ID tenants and Azure environments. By exploiting weak Microsoft Defender deployments and compromising privileged accounts, the attackers gained administrative control, disabled defenses, and destroyed recovery options.

The shift highlights a growing trend where extortion groups abandon traditional ransomware for stealthier, cloud-native methods that are harder to block. Microsoft has shared detection guidance and emphasised the importance of strong MFA and robust cloud defences.

First ai-powered ransomware discovered: Promptlock

ESET researchers have uncovered the first AI-powered ransomware, named PromptLock, which leverages OpenAI’s gpt-oss:20b model to generate malicious scripts on demand. Written in Golang, the malware connects through the Ollama API and uses hard-coded prompts to dynamically produce Lua scripts for tasks such as filesystem scanning, data theft, and encryption. Notably, PromptLock employs the lightweight SPECK 128-bit cipher, a weak algorithm rarely used in ransomware, suggesting this is still a proof-of-concept rather than an active threat.

ESET found the sample on VirusTotal and confirmed it has not been deployed in real-world attacks. Further evidence, including a Bitcoin wallet tied to Satoshi Nakamoto and missing data destruction functionality, reinforces the belief it is experimental. However, PromptLock is significant in showing how generative AI can be weaponised for malware, offering cross-platform reach and operational agility.

Its discovery follows Ukraine’s CERT report of LameHug, another LLM-powered tool attributed to APT28, indicating this could be an emerging trend.

Cyberattack on Miljödata disrupts 200 Swedish municipalities

A cyberattack on Swedish IT systems supplier Miljödata has disrupted services in more than 200 municipalities, raising concerns over the theft of sensitive personal data. The attackers reportedly demanded a ransom of 1.5 Bitcoins (about $168,000) to prevent leaked information from being published.

Miljödata, which provides HR and work environment management systems to around 80% of Sweden’s municipalities, supports critical functions such as medical certificates, occupational injury reports, and rehabilitation case management. CEO Erik Hallén confirmed the attack on August 25, stating the company is working with external experts to investigate the incident and restore systems.

Several regions, including Halland and Gotland, have warned citizens that sensitive data may have been exposed. Sweden’s minister for civil defence, Carl-Oskar Bohlin, announced that CERT-SE and the police are assessing the impact. No ransomware group has claimed responsibility, and Miljödata’s website and email servers remain offline.

Shadowsilk targets central Asia and APAC governments

Researchers have linked a wave of cyberattacks against government entities in Central Asia and the Asia-Pacific region to a threat cluster dubbed ShadowSilk. Nearly three dozen victims have been identified across Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, with intrusions primarily aimed at data theft.

ShadowSilk shows strong overlaps with previously tracked groups such as YoroTrooper, SturgeonPhisher, and Silent Lynx. Researchers suggest the operation is run by a bilingual team, with Russian-speaking developers tied to YoroTrooper’s legacy code and Chinese-speaking operators conducting active intrusions.

The attacks typically begin with spear-phishing emails carrying password-protected archives, leading to custom loaders that hide command-and-control traffic behind Telegram bots. The group exploits known flaws in Drupal and WordPress plugins, while deploying a wide arsenal of tools including Cobalt Strike, Metasploit, and custom password stealers.

NSA and NCSC link Salt Typhoon hacking campaigns to Chinese firms

The U.S.A’s NSA, the UK’s NCSC and cyber agencies from 13 nations have attributed the long-running Salt Typhoon espionage campaigns to three Chinese tech companies: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. According to joint advisories, the firms supported China’s Ministry of State Security and the People’s Liberation Army in cyber operations targeting government, telecoms, transport, and military networks worldwide.

Active since at least 2021, Salt Typhoon has exploited widely known and patched flaws in Ivanti, Palo Alto, and Cisco devices to gain persistence and steal sensitive data. Rather than using zero-days, the group abuses unpatched edge devices, creating tunnels, collecting authentication traffic, and deploying custom Golang-based SFTP tools.

The NSA and NCSC warn that Salt Typhoon remains highly effective and urge organisations to prioritise patching, restrict management services, disable legacy Cisco features, and actively monitor for compromise.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.