China-Linked Storm-1175 Exploits Zero-Day Vulnerabilities to Deploy Medusa Ransomware Rapidly
A sophisticated cybercriminal group, identified as Storm-1175 and believed to be operating from China, has been actively exploiting both zero-day and N-day vulnerabilities to conduct rapid and aggressive attacks on internet-facing systems. Their operations have significantly impacted sectors such as healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States.
According to the Microsoft Threat Intelligence team, Storm-1175 demonstrates a high operational tempo and exceptional skill in pinpointing exposed perimeter assets. This proficiency has enabled them to execute swift intrusions, often leveraging vulnerabilities before they are publicly disclosed. In certain instances, the group has combined multiple exploits, such as OWASSRF, to enhance their post-compromise activities.
Once access is gained, Storm-1175 moves quickly to exfiltrate data and deploy the Medusa ransomware, sometimes within a few days or even as rapidly as 24 hours. To maintain their foothold, they employ several tactics:
– Creating Persistence: The group establishes new user accounts and deploys web shells or legitimate remote monitoring and management (RMM) software to facilitate lateral movement within the network.
– Credential Theft: They engage in credential harvesting to escalate privileges and access sensitive information.
– Disabling Security Measures: By interfering with the normal functioning of security solutions, they ensure their activities remain undetected before deploying ransomware.
Since 2023, Storm-1175 has been linked to the exploitation of over 16 vulnerabilities, including:
– Microsoft Exchange Server: CVE-2023-21529
– Papercut: CVE-2023-27351 and CVE-2023-27350
– Ivanti Connect Secure and Policy Secure: CVE-2023-46805 and CVE-2024-21887
– ConnectWise ScreenConnect: CVE-2024-1708 and CVE-2024-1709
– JetBrains TeamCity: CVE-2024-27198 and CVE-2024-27199
– SimpleHelp: CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728
– CrushFTP: CVE‑2025‑31161
– Fortra GoAnywhere MFT: CVE-2025-10035
– SmarterTools SmarterMail: CVE-2025-52691 and CVE-2026-23760
– BeyondTrust: CVE-2026-1731
Notably, CVE-2025-10035 and CVE-2026-23760 were exploited as zero-days before their public disclosure. In late 2024, the group expanded its focus to include Linux systems, targeting vulnerable Oracle WebLogic instances across various organizations. The specific vulnerabilities exploited in these attacks remain unidentified.
Microsoft highlights that Storm-1175 capitalizes on the window between vulnerability disclosure and the availability or adoption of patches, exploiting the period when many organizations remain unprotected.
The group’s tactics include:
– Utilizing Living-off-the-Land Binaries (LOLBins): Employing tools like PowerShell and PsExec, along with Impacket, for lateral movement within networks.
– Leveraging PDQ Deployer: Using this tool for both lateral movement and the delivery of payloads, including Medusa ransomware, across networks.
– Modifying Firewall Policies: Adjusting Windows Firewall settings to enable Remote Desktop Protocol (RDP) and facilitate the delivery of malicious payloads to other devices.
– Conducting Credential Dumping: Utilizing tools like Impacket and Mimikatz to extract credentials.
– Configuring Antivirus Exclusions: Setting exclusions in Microsoft Defender Antivirus to prevent the detection and blocking of ransomware payloads.
– Data Collection and Exfiltration: Employing tools like Bandizip for data collection and Rclone for data exfiltration.
The increasing use of RMM tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, or SimpleHelp by threat actors like Storm-1175 underscores a growing trend. These tools serve dual purposes, allowing malicious activities to blend into trusted, encrypted platforms, thereby reducing the likelihood of detection.
