analyst @ nohacky :~/threat-actors $
cat / threat-actors / stormous
analyst@nohacky:~/stormous.html
active threat profile
type ransomware
threat_level high
status active
origin Arabic-speaking — pro-Russia alignment
last_updated 2025-03-27
ST
threat-actor / ransomware / hacktivism

Stormous Ransomware Group

also known as: Stormous Gang STMX_GhostLocker (joint RaaS brand)

An Arabic-speaking ransomware and hacktivism group active since 2021, known for politically aligning with Russia during the Ukraine conflict and conducting joint operations with GhostSec through the Five Families collective. Stormous draws skepticism from researchers for frequently claiming attacks that cannot be independently verified, though its confirmed operations — including the 2024 Duvel Moortgat brewery attack, French government credential leaks in May 2025, and global double-extortion campaigns through STMX_GhostLocker — establish it as a credible operational threat.

attributed origin Arabic-speaking members; Middle East and Russia suspected
suspected sponsor Independent — pro-Russia ideological alignment; no confirmed state sponsorship
first observed Mid-2021
primary motivation Financial (ransomware, data sales); Ideological (pro-Russia, anti-West)
primary targets US, Ukraine, Western Europe; manufacturing, government, hospitality, energy
known campaigns Active across 15+ countries; multiple confirmed victims 2024–2025
collective affiliation The Five Families (with GhostSec, ThreatSec, Blackforums, SiegedSec)
ransomware strain StormousX; GhostLocker 2.0 (via STMX_GhostLocker RaaS)
threat level High

Overview

Stormous first surfaced in mid-2021 and gained broader visibility in early 2022 when the group declared public support for Russia following the invasion of Ukraine. The group describes itself as an Arabic-speaking collective and has stated its objective as attacking targets in the United States and other Western nations perceived as adversarial to Russia. This political framing, combined with aggressive Telegram-based self-promotion, drew early attention — and significant skepticism — from the security research community.

Early skepticism centered on what researchers described as "scavenger operations": Stormous was suspected of repurposing data already stolen or leaked by other ransomware groups, then presenting it as a new breach to build notoriety and attract buyers. Trustwave SpiderLabs analysts described the group's posture as clout-driven, and Recorded Future's Alan Liska characterized the group as known to be "a bit of a clown show." The group's ransom notes are written in Arabic, and initial assessments pointed to members located in Middle Eastern countries and Russia, with two members reportedly arrested from Mid-Eastern nations.

Despite this early skepticism, Stormous matured its operations through 2023 and 2024. The group launched StormousX, its own ransomware payload, and in 2023 forged a significant partnership with GhostSec. Together they conducted double-extortion attacks across more than 15 countries, and in February 2024 formally launched STMX_GhostLocker, a joint RaaS platform offering both GhostLocker 2.0 (Golang) and StormCry (Python) payloads to affiliates through a dark-web management panel. When GhostSec exited ransomware operations in May 2024, Stormous absorbed GhostLocker's source code, management infrastructure, and affiliate relationships, subsequently launching the Stormous RaaS program as a continuation.

Stormous remains active as of early 2025. In May 2025 the group leaked a credential dump targeting multiple French government agencies. A May 2025 hospitality supply chain attack on HyperGuest's hotel-booking API resulted in over 30,000 plaintext payment card records and internal reservation data being exfiltrated.

analyst note — claim verification

Stormous is known for making attack claims that the security research community cannot independently verify, and for conducting polls asking its Telegram audience to vote on future targets. This behavior is consistent with clout-seeking more than operational discipline. Analysts should treat unverified Stormous claims with appropriate skepticism while monitoring for confirmed victim notifications and independent corroboration before attributing a breach.

Target Profile

Stormous targeting is shaped by a combination of political ideology and financial opportunism. The group prioritizes Western and NATO-aligned nations, but its ransomware operations — especially through the STMX_GhostLocker affiliate program — reach a much broader geographic and sectoral scope.

  • United States: Primary declared ideological target. Stormous has claimed attacks on Coca-Cola, Mattel, Danaher, Epic Games, and several dozen other US companies, though many of these claims remain unverified. The US accounts for a substantial share of its data leak site listings.
  • Ukraine and NATO allies: The group claimed to have breached the Ukrainian Ministry of Foreign Affairs, exfiltrating phone numbers, emails, passwords, and national identity card data. Western European governments, including French agencies, have been targeted in 2025.
  • Manufacturing: The 2024 Duvel Moortgat brewery attack is the group's most publicly confirmed confirmed incident, shutting down beer production and stealing 88 GB of company and employee data.
  • Hospitality and Supply Chain: The May 2025 HyperGuest hotel-booking API compromise demonstrates a shift toward trusted-relationship attacks targeting supply chain intermediaries rather than direct victim exploitation.
  • Government entities: Multiple government ministries across Ukraine, Vietnam, Brazil, and France have been claimed or confirmed as targets in various phases of operations.
  • Energy, Finance, and Healthcare: Ransomware-phase operations through STMX_GhostLocker reached energy suppliers, financial institutions, and healthcare firms globally via affiliate-driven campaigns.

Tactics, Techniques & Procedures

Stormous combines politically themed initial access lures with commodity ransomware execution, living-off-the-land techniques, and aggressive double-extortion. The following TTPs are drawn from Trustwave, Red Piranha, and Daily Security Review research on confirmed Stormous campaigns.

mitre id technique description
T1566.001 Phishing: Spearphishing Attachment Phishing emails used for initial access, including lures pretending to be Ukraine war relief organizations and politically themed messages aligned with current geopolitical events.
T1190 Exploit Public-Facing Application Unpatched web applications, VPN servers, and RDP endpoints are targeted for initial access. Credential stuffing and brute force against exposed RDP/VPN portals is observed.
T1078 Valid Accounts Reused or weak credentials exploited for initial access. The HyperGuest supply chain attack involved entry through a trusted API relationship rather than a direct exploit, mapping to Trusted Relationship (T1199).
T1059 Command and Scripting Interpreter Scripts are used to disable Windows Defender, kill EDR processes, and execute pre-encryption setup tasks. Ransom notes in HTML format sometimes pull content from Pastebin URLs at runtime.
T1021.002 Remote Services: SMB/Windows Admin Shares SMB shares and PsExec are used to push ransomware payloads laterally across victim networks after initial compromise.
T1003.003 OS Credential Dumping: NTDS Mimikatz is deployed to extract cached credentials from memory. NTDS.dit extraction from Active Directory is used to escalate privileges and move laterally across enterprise environments.
T1048 Exfiltration Over Alternative Protocol Data is compressed using WinRAR or 7-Zip and staged for exfiltration to attacker-controlled servers or cloud drives via FTP. Double-extortion threat follows exfiltration confirmation.
T1486 Data Encrypted for Impact StormousX and GhostLocker 2.0 payloads encrypt victim files. Stormous payloads append .ghost extension (when using GhostLocker). Backup deletion and shadow copy removal are configured in the RaaS builder prior to encryption.
T1562.001 Impair Defenses: Disable or Modify Tools Scripts disable Windows Defender and EDR agents before ransomware execution. DLL sideloading and exploitation of vulnerable drivers are also observed for defense evasion.
T1491.001 Defacement: Internal Defacement In politically motivated campaigns, website defacement with pro-Russia or ideological messages accompanies or replaces ransomware deployment.

Known Campaigns

Ukraine Ministry of Foreign Affairs — Declared Support for Russia Feb–Mar 2022

Following Russia's invasion of Ukraine, Stormous publicly declared support for Russia on Telegram and claimed to have breached Ukraine's Ministry of Foreign Affairs, exfiltrating phone numbers, emails, passwords, and national identity cards. Researchers noted the data appeared to already be available on the dark web, raising questions about whether this was a new intrusion or recycled material.

Coca-Cola Data Claim Apr 2022

Stormous ran a Telegram poll asking followers to vote on which company to target next; Coca-Cola received 72% of votes. The group subsequently claimed to have stolen 161 GB of data and listed it for sale at approximately $64,000. Coca-Cola confirmed it was investigating but did not confirm a breach. Security researchers expressed significant skepticism, noting the listed file size was modest for alleged full network access and that the data may have been scavenged from prior incidents. The claim remains unverified by independent analysis.

STMX_GhostLocker Joint RaaS — Global Double-Extortion Wave Feb 2024 — May 2024

Stormous and GhostSec formally launched STMX_GhostLocker on February 24, 2024, via their Five Families Telegram channel. The platform provided affiliates with both StormCry (Python) and GhostLocker 2.0 (Golang) payloads, a web-based builder, a dark-web affiliate portal, and a victim tracking dashboard. Attacks were confirmed across Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia. The platform's TOR-hosted blog listed a highest claimed ransom of $500,000 USD.

Duvel Moortgat Brewery — Belgium 2024

One of Stormous's most publicly confirmed attacks. The group hit Belgian brewing company Duvel Moortgat, shutting down beer production and exfiltrating 88 GB of sensitive company data including employee personal information. The operational disruption and confirmed data theft establish this as a verified, high-impact incident beyond the group's self-promotional claim pattern.

French Government Credential Leak May 2025

Between May 17 and 23, 2025, Stormous leaked a credential dump targeting multiple French government agencies including AFD, ARS Île-de-France, and Cour des Comptes. Approximately 70,000 credentials were included, many MD5-hashed and partly dated, presenting a phishing and credential-reuse risk. The targeting of NATO-aligned government infrastructure is consistent with the group's stated political objectives.

HyperGuest Hospitality Supply Chain Attack May 2025

Stormous breached HyperGuest, a hospitality booking API provider, through a trusted-relationship entry point rather than a direct exploit. Data exfiltrated from partner property Jpark Island Resort and Waterpark included over 30,000 plaintext payment card records, reservation logs, and internal documents. This attack demonstrates the group's expansion into supply chain targeting as an alternative to direct victim compromise.

Tools & Infrastructure

Stormous's tooling spans its own ransomware payload, shared GhostLocker infrastructure, and commodity living-off-the-land techniques for lateral movement and credential access.

  • StormousX: Stormous's proprietary ransomware payload. Ransom notes are written in Arabic. Exact encryption algorithm details are not fully public, but operational behavior mirrors GhostLocker patterns including pre-encryption process termination and double-extortion sequencing.
  • StormCry: Python-based ransomware payload offered to STMX_GhostLocker affiliates alongside GhostLocker 2.0 as a dual-locker option within the affiliate builder.
  • GhostLocker 2.0 (inherited): Following GhostSec's exit in May 2024, Stormous absorbed GhostLocker's source code (v3), affiliates, and infrastructure. The Stormous RaaS program is a continuation of STMX_GhostLocker with GhostLocker at its core.
  • PHP-based C2 Panels: Stormous uses custom PHP remote access panels for command-and-control, supplemented by Telegram bot alerts that notify affiliates when infections are active.
  • Mimikatz: Deployed for credential dumping from memory; used alongside NTDS.dit extraction to harvest enterprise credentials for lateral movement.
  • WinRAR / 7-Zip: Data compression tools used to stage exfiltrated files before transfer to attacker-controlled infrastructure via FTP or cloud uploads.
  • LOLBins (Living-Off-the-Land Binaries): regsvr32.exe and other signed Windows binaries are used for stealthy execution to avoid signature-based detection. PsExec is used for ransomware distribution across SMB shares.
  • Cobalt Strike: Post-exploitation loaders including Cobalt Strike beacons have been observed in Stormous-related campaigns by Red Piranha threat intelligence.
  • Data Leak Site: Stormous operates a Tor-hosted dark-web blog for victim naming, data auctions, and affiliate management. Victims who decline to pay are publicly listed alongside samples of stolen data.

Indicators of Compromise

IOCs for Stormous are closely overlapping with GhostSec and STMX_GhostLocker infrastructure due to the shared RaaS platform. Indicators below reflect confirmed patterns from Cisco Talos, Red Piranha, and Trustwave SpiderLabs research.

warning

Stormous infrastructure overlaps with GhostSec onion addresses and the STMX_GhostLocker affiliate platform. IOCs from GhostSec campaign reporting may also apply to Stormous-related incidents. Cross-reference with Stormous data leak site victim listings and Telegram channel announcements for current campaign intelligence.

indicator patterns — behavioral / structural
ransom note README.txt or README.html — HTML variant may pull ransom note content from a Pastebin URL at runtime
file extension .ghost — applied when GhostLocker 2.0 payload is used under the STMX_GhostLocker/Stormous RaaS program
c2 infrastructure Shared onion URLs between Stormous and GhostSec observed in Red Piranha analysis; PHP-based C2 panel endpoints
behavioral Bulk process termination and Windows Defender/EDR disabling prior to encryption; PsExec lateral movement across SMB shares; shadow copy deletion configured in RaaS builder
exfil staging WinRAR or 7-Zip archives created in staging directories before FTP or cloud upload; financial, HR, and operational document targeting
language Arabic-language ransom notes (StormousX payload); Golang binary (GhostLocker 2.0); Python binary (StormCry)

Mitigation & Defense

Stormous's attack chain combines multiple entry vectors — phishing, credential stuffing, RDP brute force, and supply chain trust abuse — with a well-documented post-compromise playbook. Defense-in-depth across all of these vectors is required.

  • RDP and VPN Hardening: Stormous frequently exploits exposed RDP and VPN portals with brute force and credential stuffing. Disable RDP where not required. Where required, place behind a VPN with MFA enforced. Implement account lockout policies and IP allowlisting. Audit VPN credentials for reuse across services.
  • Phishing-Resistant MFA: Politically themed phishing lures are a primary initial access vector. FIDO2/WebAuthn hardware keys for privileged accounts are the only control that meaningfully resists adversary-in-the-middle phishing toolkits. Push-based MFA remains susceptible to social engineering.
  • Patch Management and Vulnerability Prioritization: Stormous targets unpatched public-facing applications. Maintain a vulnerability management program that prioritizes internet-facing assets and tracks CISA KEV entries for active exploitation. Segregate internet-facing systems from internal networks.
  • Credential Hygiene and Privileged Access Management: Mimikatz and NTDS.dit extraction are used to escalate privileges. Implement credential guard on Windows endpoints, enforce tiered administration, and audit for weak or shared credentials in Active Directory. Rotate credentials following any suspected compromise.
  • Offline and Immutable Backups: Stormous payloads are configured to delete shadow copies and backups. Maintain offline, tested backups that cannot be reached from the network during an active intrusion. Test recovery procedures against realistic ransomware scenarios.
  • Network Segmentation and Lateral Movement Controls: PsExec and SMB are used for ransomware distribution across victim networks. Segment networks to limit lateral movement. Restrict PsExec, disable unnecessary SMB shares, and monitor for bulk file access events consistent with encryption activity.
  • Supply Chain and Third-Party API Risk: The HyperGuest attack demonstrates that trusted third-party integrations are an active entry vector. Audit API integrations for least-privilege access, monitor third-party connections for anomalous behavior, and require security attestation from supply chain partners.
  • Threat Intelligence Monitoring: Stormous operates publicly via Telegram and maintains a dark-web data leak site. Monitoring these channels provides advance warning of targeting intentions and can identify when an organization's data or partners have been claimed, enabling faster incident response.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — stormous — last updated 2025-03-27