Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-1175 high-velocity exploit campaign

Campaign
First reported
Last updated
Happening score
H score 59
2 unique sources, 2 articles

Summary

Hide ▲

Storm-1175 is running a high-velocity exploit campaign that rapidly turns access into Medusa ransomware deployment, creating risk of data exfiltration and encrypted outages. The group is now tied to CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT), a critical deserialization flaw with CVSS 10.0 that Microsoft says is being actively exploited in ransomware attacks. Microsoft says Storm-1175 first used the flaw as a zero day on September 11, and Fortra patched it on September 18. Post-exploitation activity included SimpleHelp, MeshAgent, mstsc.exe, Rclone, lateral movement, and a Cloudflare tunnel for command-and-control.

Cases

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

INC ransomware encryptors rewritten in Rust

Malware Activity
H score38 First: 18.06.2026 17:12 Last: 18.06.2026 17:12 Sources 1

About this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Timeline

  1. 06.04.2026 19:56 3 articles · 3mo ago

    Storm-1175 high-velocity Medusa ransomware campaign

    Technical Analysis Update

    Microsoft says Storm-1175, a China-based financially motivated cybercriminal group linked to Medusa ransomware, is rapidly weaponizing n-day and zero-day flaws, sometimes within 24 hours and sometimes before patches are released. The operators chain multiple exploits with new user account creation, remote monitoring and management software deployment, credential theft, and security software disabling to move from initial access to data exfiltration and Medusa ransomware deployment. Recent activity has affected healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States, with exploited products including GoAnywhere MFT, SmarterMail, Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust.

    Show sources