Campaign
Storm-1175 public-facing intrusion wave
Updated 07.04.2026 09:35
Case score 56
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 56
- Main story score
- 56
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign Campaign record describes rapid exploitation of exposed systems, post-compromise tooling, and fast ransomware follow-on across multiple sectors and countries. main
Case score 56
Members 1
Latest activity 07.04.2026 09:35
Patch available
Members 1
First seen 07.04.2026 09:35
Last seen 07.04.2026 09:35
Updated 07.04.2026 09:35
Overview
**Storm-1175** is running a high-velocity intrusion campaign that uses **zero-day** and **N-day** vulnerabilities to break into exposed internet-facing systems. Available evidence ties the activity to fast follow-on actions that include data theft and **Medusa ransomware**, sometimes within 24 hours.
The activity spans multiple sectors and countries and has touched products such as **Exchange Server**, **Ivanti Connect Secure and Policy Secure**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **GoAnywhere MFT**, **SmarterMail**, and **BeyondTrust**. Current defensive priority is rapid patching of exposed systems plus hunting for web shells, RMM abuse, credential theft, and exfiltration artifacts.
Storm-1175 is running a high-velocity intrusion campaign that uses **zero-day** and **N-day** vulnerabilities to break into exposed internet-facing systems. Available evidence ties the activity to products including **Microsoft Exchange Server**, **Ivanti Connect Secure and Policy Secure**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **Fortra GoAnywhere MFT**, **SmarterTools SmarterMail**, and **BeyondTrust Remote Support and Privileged Remote Access**. The operators have also targeted Oracle WebLogic and Linux systems in recent activity, showing that the intrusion pattern is not limited to a single product line. After foothold acquisition, the group moves quickly to persistence, credential theft, lateral movement, and data exfiltration.
The workflow includes new accounts, web shells, legitimate RMM tools, **PowerShell**, **PsExec**, **Impacket**, **Mimikatz**, and **Rclone**. Security controls are interfered with before payload deployment, and **Medusa ransomware** can follow within 24 hours. The activity spans healthcare, education, professional services, and finance organizations across Australia, the United Kingdom, and the United States, but available evidence does not quantify total reach. Available guidance emphasizes rapid mitigation of exposed systems and hunting for web shells, RMM abuse, credential theft, and exfiltration artifacts.
Signals
7 derivedImpact signals
Victims/regions
Victim region
Australia
Sector
education
Sector
healthcare
Remediation
Remediation
Patch available
Status
Campaign status
Active
Threat context
Actor
Storm-1175
Ransomware
Medusa ransomware
Malware context
1 familiesMember happenings
1 related
Campaign
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Campaign
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available