Campaign
Storm-1175 public-facing intrusion wave
Updated 07.04.2026 09:35
Case score 56
Score breakdown
- Total
- 56
- Lead score
- 56
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Campaign record describes rapid exploitation of exposed systems, post-compromise tooling, and fast ransomware follow-on across multiple sectors and countries. base
Case score 56
Members 1
Latest activity 07.04.2026 09:35
Members 1
First seen 07.04.2026 09:35
Last seen 07.04.2026 09:35
Updated 07.04.2026 09:35
Overview
**Storm-1175** is running a high-velocity intrusion campaign that uses **zero-day** and **N-day** vulnerabilities to break into exposed internet-facing systems. Available evidence ties the activity to fast follow-on actions that include data theft and **Medusa ransomware**, sometimes within 24 hours.
The activity spans multiple sectors and countries and has touched products such as **Exchange Server**, **Ivanti Connect Secure and Policy Secure**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **GoAnywhere MFT**, **SmarterMail**, and **BeyondTrust**. Current defensive priority is rapid patching of exposed systems plus hunting for web shells, RMM abuse, credential theft, and exfiltration artifacts.
Storm-1175 is running a high-velocity intrusion campaign that uses **zero-day** and **N-day** vulnerabilities to break into exposed internet-facing systems. Available evidence ties the activity to products including **Microsoft Exchange Server**, **Ivanti Connect Secure and Policy Secure**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **Fortra GoAnywhere MFT**, **SmarterTools SmarterMail**, and **BeyondTrust Remote Support and Privileged Remote Access**. The operators have also targeted Oracle WebLogic and Linux systems in recent activity, showing that the intrusion pattern is not limited to a single product line. After foothold acquisition, the group moves quickly to persistence, credential theft, lateral movement, and data exfiltration.
The workflow includes new accounts, web shells, legitimate RMM tools, **PowerShell**, **PsExec**, **Impacket**, **Mimikatz**, and **Rclone**. Security controls are interfered with before payload deployment, and **Medusa ransomware** can follow within 24 hours. The activity spans healthcare, education, professional services, and finance organizations across Australia, the United Kingdom, and the United States, but available evidence does not quantify total reach. Available guidance emphasizes rapid mitigation of exposed systems and hunting for web shells, RMM abuse, credential theft, and exfiltration artifacts.