Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.

China-based actor Storm-1175 carries out fast, financially driven ransomware attacks by exploiting newly disclosed vulnerabilities before organizations patch them. The group targets exposed systems and quickly moves from initial access to data theft and Medusa ransomware deployment, sometimes within 24 hours. The financially motivated group mainly targets sectors such as healthcare, education, finance, and services across the US, UK, and Australia. The attackers often chain exploits, create new accounts for persistence, move laterally using remote tools, steal credentials, and weaken security defenses. Their speed and focus on unpatched systems make them highly effective.

Microsoft researchers report that Storm-1175 quickly exploits newly disclosed flaws in web-facing systems to gain access. Since 2023, the group has targeted many platforms, including Microsoft Exchange, Ivanti, ConnectWise, JetBrains, and others. It often weaponizes vulnerabilities within days, or even one day, before organizations apply patches.

“Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access.” reads the report published by Microsoft. “Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:

• CVE-2026-1731 (BeyondTrust)”
• CVE-2023-21529 (Microsoft Exchange)
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
• CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
• CVE‑2025‑31161 (CrushFTP)
• CVE-2025-10035 (GoAnywhere MFT)
• CVE-2025-52691 and CVE-2026-23760 (SmarterMail)

The attackers also chain multiple exploits to achieve deeper access, such as remote code execution, and have targeted both Windows and Linux systems. In some cases, the threat actor used zero-days even before public disclosure, showing advanced capabilities. By focusing on unpatched systems and acting fast, Storm-1175 maximizes impact and maintains a strong advantage over defenders.

Storm-1175 chains multiple exploits to gain deeper access, as seen in attacks on Microsoft Exchange where it moved from initial access to remote code execution. The group also targets Linux systems and has used zero-day flaws before public disclosure, showing advanced skills.

After gaining access, it installs web shells or remote tools, creates admin accounts, and moves laterally using tools like PowerShell, PsExec, RDP, and Cloudflare tunnels. It also abuses legitimate RMM tools and software like PDQ Deployer and Impacket to spread across networks. The attackers can deploy ransomware in as little as one day, highlighting their speed and efficiency.

Storm-1175 steals credentials using tools like Impacket and Mimikatz, targeting LSASS and enabling WDigest caching to capture passwords. After gaining admin access, it extracts credentials from backups and pivots to domain controllers to access Active Directory and system data.

The group weakens security by modifying antivirus settings and adding exclusions to let ransomware run undetected. It then steals data using tools like Rclone and compresses files for exfiltration.

“Storm-1175 modifies the Microsoft Defender Antivirus settings stored in the registry to tamper with the antivirus software and prevent it from blocking ransomware payloads; in order to accomplish this, an attacker must have access to highly privileged accounts that can modify the registry directly.” continues the report. “For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access.”

Finally, it deploys Medusa ransomware across the network using tools like PDQ Deployer or Group Policy, completing the attack.

Microsoft provided Indicators of compromise (IoCs) for these attacks along with mitigation and protection guidance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Storm-1175)