The China-based cybercriminal group Storm-1175 known for spreading the Medusa ransomware is orchestrating high-speed attacks using both known (n-day) and previously unknown (zero-day) software vulnerabilities.
According to Microsoft, Storm-1175 targets new security flaws, sometimes exploiting them within a day of discovery or even before official patches are released. Once inside a system, the group moves fast, often stealing data and deploying ransomware within 24 hours.
The attacks have affected organizations across healthcare, education, finance, and professional services, particularly in Australia, the United Kingdom, and the United States.
Microsoft also reports that the group uses multiple techniques to maintain access to compromised systems, including creating new user accounts, installing remote management tools, stealing login credentials, and disabling security protections before launching ransomware.
Recent campaigns show that Storm-1175 has exploited a wide range of vulnerabilities across multiple platforms, including CVE-2023-21529 in Microsoft Exchange, CVE-2023-27351 and CVE-2023-27350 in Papercut, CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Policy Secure, and CVE-2024-1709 and CVE-2024-1708 in ConnectWise ScreenConnect. The group has also targeted CVE-2024-27198 and CVE-2024-27199 in JetBrains TeamCity, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 in SimpleHelp, CVE-2025-31161 in CrushFTP, CVE-2025-52691 in SmarterMail, and CVE-2026-1731 in BeyondTrust.
In past attacks, Storm-1175 was observed exploiting CVE-2025-10035 in GoAnywhere MFT for over a week before a patch was released, as well as CVE-2026-23760, a zero-day vulnerability in SmarterMail that allowed attackers to bypass authentication.
Microsoft notes that while Storm-1175 is becoming more advanced, it still relies heavily on older, unpatched vulnerabilities. The company also linked the group to other ransomware operations, including Black Basta and Akira, which targeted VMware ESXi systems.