A China-based cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175 is conducting highly automated, high-speed attacks against internet-facing systems to deploy Medusa ransomware. The actors combine previously unknown zero-day vulnerabilities with recently disclosed but unpatched N-day vulnerabilities, significantly reducing the time defenders have to detect and respond.
Storm-1175 targets and global ransomware campaign footprint
Storm-1175 primarily targets organizations in healthcare, education, professional services, and financial services. Most observed incidents have affected victims in Australia, the United Kingdom, and the United States. These sectors typically hold large volumes of sensitive data and depend on continuous IT availability, which historically increases the likelihood of ransom payments in the event of disruption.
The group focuses on exposed perimeter assets such as web applications, VPN gateways, email servers, and other systems reachable directly from the internet. They rapidly scan for vulnerable services, map them to known or emerging security flaws, and attempt exploitation almost immediately. This opportunistic yet strategically targeted approach enables them to compromise a diverse set of environments at scale.
Zero-day and N-day exploitation tactics, including OWASSRF-style chains
Storm-1175 combines zero-day exploits—vulnerabilities that are exploited before a vendor releases a patch—with N-day exploits, where attackers weaponize issues that are publicly disclosed but not yet remediated in many organizations. According to Microsoft, the group has been linked to the exploitation of more than 16 vulnerabilities since 2023, including CVE-2025-10035 and CVE-2026-23760, both used as zero-days before public disclosure.
In several campaigns, Storm-1175 chained multiple vulnerabilities into sophisticated exploit chains to bypass authentication, escalate privileges, and streamline lateral movement. Some of these techniques resemble OWASSRF-style attacks, where weaknesses in Outlook Web Access (OWA) and related components are combined with server-side request forgery (SSRF) to gain powerful, often domain-wide, access. For many defenders, a single missed patch on an exposed system can therefore translate into full enterprise compromise.
Expanding focus to Linux and Oracle WebLogic servers
By late 2024, Microsoft observed a clear shift in Storm-1175’s interest towards Linux-based systems. The group has been actively compromising vulnerable Oracle WebLogic installations across multiple organizations. While the exact vulnerability being exploited in these cases has not been publicly disclosed, the deliberate targeting of WebLogic on Linux underscores a broader trend: ransomware operators are moving beyond traditional Windows environments to attack a wider range of enterprise infrastructure and application stacks.
From initial access to Medusa ransomware in under 24 hours
Once Storm-1175 gains an initial foothold, their operations unfold quickly. Microsoft reports incidents where less than 24 hours elapsed between first compromise and the deployment of Medusa ransomware. In many cases, the full attack lifecycle—from initial access to data encryption—completes within a few days. This compressed timeline drastically limits the window for detection, investigation, and containment.
Persistence, lateral movement and RMM abuse
Storm-1175 uses a broad toolkit to maintain access and move laterally within victim networks, including:
- Creating new local and domain high-privilege accounts to ensure persistent access.
- Planting web shells on compromised web servers for remote command execution.
- Deploying legitimate remote monitoring and management (RMM) tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, and SimpleHelp to control systems.
- Conducting credential theft from memory, configuration files, and password stores to escalate privileges and pivot.
- Disabling or bypassing antivirus, EDR, and other security controls immediately before ransomware deployment.
The use of legitimate RMM software effectively turns these tools into dual-use infrastructure. Traffic from the attackers is encrypted, mimics normal administrative activity, and often appears benign in logs and network monitoring systems, significantly complicating detection and response efforts.
Why the vulnerability–patch–exploit race favors Storm-1175
Microsoft assesses that Storm-1175 rapidly rotates its exploit set in the short interval between public disclosure of new vulnerabilities and widespread patch deployment. Each new security advisory creates a narrow but high-risk window in which many organizations are still testing or scheduling patches, while attackers are already automating exploitation at scale. Industry reports consistently show that many enterprises take days or weeks to fully remediate critical vulnerabilities, giving threat actors an operational advantage.
These tactics highlight the importance of agile vulnerability management. Organizations should prioritize patching for internet-facing systems, closely monitor threat intelligence for vulnerabilities being actively exploited “in the wild,” and streamline testing processes to shorten the time between patch release and deployment. Attack surface reduction—such as disabling unused external services and enforcing strong authentication—reduces the number of opportunities Storm-1175 and similar groups can exploit.
To reduce the risk of Medusa ransomware and related campaigns, organizations should combine network segmentation, strict RMM tool governance (only allowing approved tools and management servers), and behavior-based detection capable of spotting anomalous account and process activity. Regular tabletop exercises and incident response rehearsals for ransomware scenarios are critical: the faster a suspicious system can be isolated and investigated, ideally well within Storm-1175’s 24-hour window, the lower the likelihood of widespread encryption and business disruption.
