The threat actor Storm-0501 has been targeting U.S. government, manufacturing, transportation, and law enforcement sectors in a multi-stage ransomware campaign. Active since 2021, the group uses weak credentials and unpatched vulnerabilities to compromise hybrid cloud environments, performing lateral movement from on-premises to cloud systems. Their operations involve data exfiltration, credential theft, and ransomware deployment. Using tools like Cobalt Strike and Rclone, they maintain persistent access and move data to cloud storage. Storm-0501, now an affiliate of the ransomware-as-a-service (RaaS) platform Embargo, employs double extortion tactics, encrypting files and threatening data leaks unless a ransom is paid.