Storm-1175 high-velocity exploit campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-1175 is running a high-velocity exploit campaign that rapidly turns access into Medusa ransomware deployment, creating risk of data exfiltration and encrypted outages. The group is now tied to CVE-2025-10035 in Fortra GoAnywhere Managed File Transfer (MFT), a critical deserialization flaw with CVSS 10.0 that Microsoft says is being actively exploited in ransomware attacks. Microsoft says Storm-1175 first used the flaw as a zero day on September 11, and Fortra patched it on September 18. Post-exploitation activity included SimpleHelp, MeshAgent, mstsc.exe, Rclone, lateral movement, and a Cloudflare tunnel for command-and-control.
Cases
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityAbout this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Timeline
-
06.04.2026 19:56 3 articles · 3mo ago
Storm-1175 high-velocity Medusa ransomware campaign
Technical Analysis UpdateMicrosoft says Storm-1175, a China-based financially motivated cybercriminal group linked to Medusa ransomware, is rapidly weaponizing n-day and zero-day flaws, sometimes within 24 hours and sometimes before patches are released. The operators chain multiple exploits with new user account creation, remote monitoring and management software deployment, credential theft, and security software disabling to move from initial access to data exfiltration and Medusa ransomware deployment. Recent activity has affected healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States, with exploited products including GoAnywhere MFT, SmarterMail, Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust.
Show sources
- Microsoft links Medusa ransomware affiliate to zero-day attacks — www.bleepingcomputer.com — 06.04.2026 19:56
- Microsoft links Medusa ransomware affiliate to zero-day attacks — www.bleepingcomputer.com — 06.04.2026 19:56
- Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign — www.infosecurity-magazine.com — 07.10.2025 11:45