CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm-1175 Medusa ransomware affiliate exploits n-days and zero-days in rapid, multi-vector intrusions

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Storm-1175, a China-based cybercriminal affiliate deploying Medusa ransomware, has escalated attacks by weaponizing n-day and zero-day vulnerabilities in rapid succession, often within days or even hours of discovery. The group targets exposed perimeter assets across multiple sectors—including healthcare, education, professional services, and finance—in Australia, the United Kingdom, and the United States. Exploitation chains involve initial access via chained vulnerabilities, followed by credential theft, persistence mechanisms such as new user account creation, deployment of remote monitoring tools, and security software disablement, culminating in Medusa ransomware deployment.

Timeline

  1. 06.04.2026 19:56 1 articles · 2h ago

    Storm-1175 exploits zero-day CVE-2026-23760 in SmarterMail alongside n-days, escalating Medusa ransomware campaign tempo

    Storm-1175, a financially motivated threat actor deploying Medusa ransomware, has been observed exploiting CVE-2026-23760, an authentication bypass in SmarterTools SmarterMail, as a zero-day. The group continues to rapidly weaponize vulnerabilities—including CVE-2025-10035 in GoAnywhere MFT and multiple n-days across enterprise software—often within days or hours of discovery. Recent intrusions demonstrate a condensed attack lifecycle, with initial access followed by credential theft, persistence setup, and ransomware deployment within 24 hours in some cases.

    Show sources
    Open in new tab

Information Snippets

  • Storm-1175 exploited CVE-2025-10035 (GoAnywhere MFT), a maximum-severity vulnerability, over one week before a patch was available.

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources

  • CVE-2026-23760, an authentication bypass in SmarterTools SmarterMail, was weaponized as a zero-day by Storm-1175.

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources

  • The group has exploited over 16 vulnerabilities across 10 software products, including Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351, CVE-2023-27350), Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708).

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources

  • Additional exploited vulnerabilities include JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728), CrushFTP (CVE-2025-31161), SmarterMail (CVE-2025-52691), and BeyondTrust (CVE-2026-1731).

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources

  • Recent campaigns show Storm-1175 achieving initial access to data exfiltration and ransomware deployment within 24 hours in some cases.

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources

  • A joint advisory by CISA, FBI, and MS-ISAC in March 2025 reported that Medusa ransomware attacks attributed to this group impacted over 300 critical infrastructure organizations across the United States.

    First reported: 06.04.2026 19:56
    1 source, 1 article
    Show sources