Recently, Stormous‘s dark web leak site showed a notable uptick in activity. At least four victims were listed on June 9, 2026.
The group frequently recycles old data or fabricates claims outright. Technical signatures, or corroborated data samples these posts should be treated as threat intelligence signals, not confirmed breaches.
The real question isn’t what appears on the leak site, it’s what enables ransomware to run unchallenged on critical systems in the first place.
Stormous Group Profile
Stormous functions as a hybrid group combining hacktivism and ransomware which distinguishes it from strictly profit-oriented ransomware groups. The combination of political ideology and extortion in the form of cyberattacks is how they present their actions.
- Alignment to geopolitical stance: Stormous claims to be supportive of Russia and Palestine, regularly attacking Western and European governmental organizations. From infrastructure, there are indications of Russian-based servers, connections to pro-Russian media outlets. No clear proof of state sponsorship can be found; it could be said that this is more ideological rather than direct state influence.
- Extortion method: Stormous runs a data leak website and a Telegram channel, threatening double extortion by encrypting files and leaking them as well. However, much of the content has been recycled open-source information or nothing at all, making it highly questionable whether or not Stormous ever encrypts the victims’ system.
- No RaaS service: There is no evidence whatsoever of Stormous selling encryption tools as Ransomware as a Service.
Stormous Intel
Recent Confirmed Operations
| Target Entity | Actor | Timeline | Breach Intelligence |
|---|---|---|---|
| mlit.com.my Malaysia (Technology) | Stormous | Disc: 2026-06-24 | Full data dump (10GB) of highly sensitive internal operations and financial records. |
| jaggroup.com Corporate (Business Services) | Stormous |
Disc: 2026-06-21 Est: 2026-06-20 |
Full database: corporate emails, Active Directory domain logins, and cleartext credentials. |
| maglificioliliana.com Italy (Manufacturing / Fashion) | Stormous | Disc: 2026-06-24 | Over 400 GB exfiltrated, including product designs and historical fashion archives. |
| lorenzoni-store.com Italy (Retail / E-commerce) | Stormous | Disc: 2026-06-24 | Complete customer and buyer data accessed, along with designs and orders. |
| montechiaro-store.com Italy (Retail / E-commerce) | Stormous | Disc: 2026-06-24 | Complete customer and buyer data accessed, along with designs and orders. |
| impulso-store.com Mexico (Retail / E-commerce) | Stormous | Disc: 2026-06-24 | Complete customer and buyer data accessed, along with designs and orders. |
The GhostLocker / STMX Connection
The most significant development in Stormous’s operational history is its alliance with GhostSec a pro-Palestinian cybercriminal collective distinct from the legitimate Ghost Security Group. The partnership timeline:
- July 2023: Stormous publicly aligns with GhostSec.
- August 2023: Both groups join the “Five Families” hacktivist coalition; the StmX|GhostLocker ransomware project is announced.
- October–November 2023: GhostLocker v1 and v2 launch as a formal RaaS.
- February 2024: Stormous officially announces the STMX_GhostLocker RaaS on Telegram, marketing GhostLocker v2.0 to its affiliate base.
- May 2024: GhostSec declares it is abandoning ransomware to return to pure hacktivism leaving Stormous’s continued use of GhostLocker tools in an uncertain but plausible state.
This means GhostLocker is the primary technical weapon associated with Stormous activity. Any GhostLocker indicators observed in an incident should be treated as Stormous-associated but not exclusive proof of Stormous involvement, since GhostLocker is available to multiple affiliates.
Technical Attack Chain: GhostLocker 2.0
GhostLocker 2.0 is a modern Golang-based ransomware (earlier versions were Python). Once executed on a victim system, it follows a well-documented chain:
- 1. Persistence
The payload immediately copies itself into the Windows Startup folder, ensuring re-execution on every reboot. The filename is randomized to avoid simple signature matching. - 2. Drive Enumeration
GhostLocker enumerates all mounted drives and directories, identifying encryption targets while deliberately skipping Windows system directories and any files already carrying the.ghostextension to avoid double-encryption or system crashes. - 3. Victim ID Generation
A unique 32-byte random ID is generated per victim. This ID is embedded in a JSON payload alongside system metadata and used to register the infection with the attacker’s command-and-control panel. - 4. C2 Registration
The malware contacts its C2 infrastructure over HTTP, calling specific endpoints/incrementLaunchto notify the operator of a new victim, and/addInfectionto register full infection details. Known C2 IPs include94[.]103[.]91[.]246and41[.]216[.]183[.]31. - 5. Privilege Escalation
If the process lacks administrative rights, GhostLocker invokes Windows’ nativetakeown.exeto seize ownership of target files, bypassing access restrictions without triggering traditional UAC prompts. - 6. Defense Impairment
Via its builder configuration, GhostLocker can terminate selected processes and services before encryption begins including backup tools, database services, and security software. - 7. Encryption
Files are encrypted using AES-256. Each file is written as an encrypted copy with the.ghostextension appended, and the original is deleted. The process is rapid and targets documents, databases, and media files. - 8. Ransom Note Delivery
After encryption completes,Ransomnote.htmlis dropped to the victim’s desktop and launched automatically. The note presents the 32-byte victim ID and instructs contact within 7 days before stolen data is threatened for public release.
Case Study: Xcitium vs. Stormous Ransomware
This demonstration shows how Xcitium protects endpoints against a Stormous ransomware campaign leveraging GhostLocker 2.0, combining opportunistic initial access, privilege escalation, and staged encryption delivery.
In this controlled test, the attack simulates tactics observed in real-world incidents where GhostLocker payloads are deployed to establish persistence, enumerate drives, disable defenses, and encrypt files under the .ghost extension while simultaneously exfiltrating victim metadata to attacker-controlled C2 infrastructure.
The intrusion chain includes executable dropping into the Windows Startup folder, takeown.exe abuse for privilege escalation, mass file enumeration, termination of backup and security processes, AES-256 encryption of user files, and outbound HTTP communication to known GhostLocker C2 endpoints.
Xcitium’s ZeroDwell technology automatically classifies the unknown GhostLocker process as untrusted and places it into isolation at the point of execution.
As a result, persistence attempts, privilege escalation, defense impairment, file encryption, and outbound C2 registration are fully isolated before they can impact the endpoint stopping the attack before the first .ghost file ever appears.
MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)
MITRE ATT&CK Mapping
Indicators of Compromise (IOCs)
Indicators of Compromise
Stormous Ransomware SHA-1 Samples & Zero‑Dwell Threat Intelligence Reports
-placeholder-
Conclusion: When the .ghost Extension Appears, the Attack Has Already Won
Stormous activity is noisy, inconsistent, and often difficult to verify from leak-site claims alone. But GhostLocker 2.0 makes the real risk clear. Once the ransomware payload executes, it moves quickly from persistence to drive enumeration, C2 registration, privilege abuse, defense impairment, encryption, and ransom note delivery.
By the time the .ghost extension appears, the critical security decision has already passed.
Why This Threat Matters
GhostLocker is dangerous because it does not wait for defenders to understand the full breach story. It runs, registers the victim, expands access to files, weakens recovery paths, and begins encryption.
- Startup folder persistence keeps the payload alive after reboot
- Drive enumeration identifies encryption targets across mounted systems
- takeown.exe abuse helps seize file ownership
- Backup and security services can be terminated before encryption
- HTTP C2 registration gives operators infection visibility
- AES-256 encryption turns business files into ransom leverage
This is why ransomware defense cannot depend on leak-site monitoring or post-encryption indicators. The outcome must be decided at execution.
Where Xcitium Changes the Outcome
For organizations using Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, GhostLocker fails before the .ghost extension appears.
This is Execution Governance.
Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Persistence, privilege abuse, C2 registration, defense impairment, backup disruption, and file encryption are stopped before impact.
Detection asks, “Did we identify this ransomware?”
Execution Governance asks, “Could unknown code encrypt files at all?”
That is the difference.
Xcitium = No Ransomware
GhostLocker proves that ransomware becomes visible only after the damage is already underway. The ransom note is not the beginning of the incident. The encrypted file extension is not the first warning. The real decision point is the moment unknown code tries to execute.
Do not wait for .ghost files.
Govern execution before encryption begins.
Prove control before impact.
Choose Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, to stop ransomware at execution.
