CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Medusa ransomware campaigns by Storm-1175 exploit N-days and zero-days at rapid pace

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Storm-1175, a financially motivated cybercrime group tracked by Microsoft Threat Intelligence, is conducting high-velocity Medusa ransomware campaigns that exploit both known vulnerabilities (N-days) and zero-days within days or even hours of disclosure. The group targets exposed perimeter assets in healthcare, education, professional services, and finance sectors across Australia, the United Kingdom, and the United States. Attack chains typically progress from initial exploitation to data exfiltration and Medusa deployment within 24 hours to a few days, outpacing organizational patching timelines and necessitating immediate patch prioritization upon release.

Timeline

  1. 07.04.2026 23:15 1 articles · 3h ago

    Storm-1175 escalates Medusa ransomware campaigns with rapid exploitation of N-days and zero-days

    Microsoft Threat Intelligence reports that Storm-1175 is deploying Medusa ransomware at high velocity by exploiting known and zero-day vulnerabilities within hours to days of disclosure. The group targets multiple sectors across Australia, the UK, and the US, leveraging RMM tools, Impacket, and Rclone while tampering with Microsoft Defender Antivirus to evade detection.

    Show sources
    Open in new tab

Information Snippets

  • Storm-1175 is a financially motivated cybercrime group conducting rapid Medusa ransomware campaigns, often moving from exploitation to ransomware deployment within 24 hours to a few days.

    First reported: 07.04.2026 23:15
    1 source, 1 article
    Show sources

  • The group exploits both N-day vulnerabilities and zero-days, including CVE-2026-1731 (BeyondTrust Remote Support/PRA RCE), CVE-2026-23760 (SmarterMail authentication bypass), and CVE-2025-10035 (GoAnywhere MFT License Servlet maximum-severity flaw).

    First reported: 07.04.2026 23:15
    1 source, 1 article
    Show sources

  • Exploited vulnerabilities include CVE-2025-31161 (CrushFTP authentication bypass), CVE-2024-27198 (JetBrains TeamCity authentication bypass), and CVE-2023-21529 (Microsoft Exchange).

    First reported: 07.04.2026 23:15
    1 source, 1 article
    Show sources

  • Storm-1175 leverages remote monitoring and management (RMM) software for lateral movement, Impacket for credential dumping, and Rclone for data exfiltration during intrusions.

    First reported: 07.04.2026 23:15
    1 source, 1 article
    Show sources

  • The group tampered with Microsoft Defender Antivirus by modifying registry settings to disable scanning of the C: drive, allowing Medusa payloads to execute undetected. This requires privileged account access obtained via credential dumping.

    First reported: 07.04.2026 23:15
    1 source, 1 article
    Show sources