Back to News
News

Storm-1175 Weaponizes Zero-Day Flaws to Rapidly Deploy Medusa Ransomware

CyberSecurityWaala 5 days ago Apr 7, 2026
Storm-1175 Weaponizes Zero-Day Flaws to Rapidly Deploy Medusa Ransomware

A China-linked cybercriminal group known as Storm-1175 has been exploiting a mix of zero-day and n-day vulnerabilities to mount fast, damaging ransomware campaigns, Microsoft Threat Intelligence said. The group moves quickly from breach to extortion. Victims see data stolen and Medusa ransomware deployed in a matter of days. In some cases the whole operation finishes within 24 hours.

What researchers observed

Microsoft said the group combines unknown zero-day flaws with recently disclosed vulnerabilities to gain initial access. “Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours,” Microsoft said. The company also warned that the actor shifts to newly disclosed vulnerabilities during the window before organizations apply patches.

Recent intrusions have hit healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States, Microsoft added. The attacks show a high operational tempo and a skill for finding exposed internet-facing systems.

Tools and techniques

Microsoft cataloged several recurring tactics. The group uses living-off-the-land binaries such as PowerShell and PsExec for lateral movement. It relies on Impacket and Mimikatz for credential theft. Threat actors also leverage PDQ Deployer to move payloads across networks and to drop Medusa ransomware.

Operators create persistence by adding user accounts, installing web shells, or deploying legitimate remote monitoring and management software. They also change Windows Firewall settings to allow remote desktop access, and they configure Microsoft Defender Antivirus exclusions to prevent detection. For data handling they use Bandizip to collect files and Rclone to exfiltrate them, Microsoft said.

Zero-days and notable vulnerabilities

Microsoft reported that Storm-1175 has exploited more than 16 vulnerabilities across at least 10 software products since 2023. The list includes Microsoft Exchange Server, Papercut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, Fortra GoAnywhere MFT, SmarterTools SmarterMail, and BeyondTrust.

Two vulnerabilities were specifically called out as being used as zero-days before public disclosure. Microsoft named CVE-2025-10035 in GoAnywhere MFT and CVE-2026-23760 in SmarterMail as examples of pre-disclosure exploitation. The firm also cited CVE-2023-21529, CVE-2023-27351, CVE-2023-27350, CVE-2023-46805, CVE-2024-21887, CVE-2024-1708, CVE-2024-1709, CVE-2024-27198, CVE-2024-27199, CVE-2024-57726, CVE-2024-57727, CVE-2024-57728, and CVE-2026-1731 among others.

Why RMM tools matter

Microsoft highlighted that legitimate remote monitoring and management platforms are increasingly abused as covert infrastructure. Tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, and SimpleHelp let attackers blend malicious activity into trusted, encrypted traffic. That lowers the chance of detection and speeds lateral movement, researchers said.

“Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected,” Microsoft added. The group also chains multiple exploits to escalate control and maintain persistence after initial access.

Wider response and risk

The Cybersecurity and Infrastructure Security Agency issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center in March 2025. The advisory warned that Medusa ransomware attacks had affected more than 300 critical infrastructure organizations across the United States. That advisory reflects the scale and potential impact of the campaign.

Organizations should inventory internet-facing assets, apply vendor patches quickly, and monitor for unusual use of RMM tools and living-off-the-land binaries. Microsoft recommended focusing on fast detection and rapid containment because Storm-1175 minimizes dwell time and moves to ransom quickly. A step-by-step guide on incident response can help organizations act decisively.

Short, decisive action can limit damage. Visibility across perimeter systems and strict controls on remote management access are essential. Microsoft and federal agencies continue to track activity and publish indicators for defenders.

#MedusaRansomware #Storm1175 #Cybersecurity #ZeroDay #RMMAbuse #ThreatIntel