Storm-1175 high-tempo Medusa ransomware campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-1175 is running a high-tempo Medusa ransomware campaign that has repeatedly exploited n-day and zero-day flaws to gain initial access before patching closes the window. Microsoft tied the group to CVE-2025-10035 in Fortra GoAnywhere MFT, a critical deserialization bug that can enable unauthenticated command injection and potential RCE, with activity observed since September 10-11, 2025. The campaign has affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, and post-exploitation activity has included SimpleHelp, MeshAgent, mstsc.exe, Rclone, and Cloudflare tunnel usage.
Cases
Related Happenings
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
OpenAI hit by cyberattack
Incident
First: 14.05.2026 22:07
Last: 14.05.2026 22:07
Sources 1
About this happening:
OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
OpenAI hit by cyberattack
IncidentAbout this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
Vulnerability
First: 14.05.2026 21:53
Last: 14.05.2026 21:53
Sources 1
About this happening:
**Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
VulnerabilityAbout this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Timeline
-
07.04.2026 13:02 2 articles · 1mo ago
Microsoft discloses Storm-1175's high-tempo Medusa ransomware campaign
Initial DisclosureMicrosoft disclosed that Storm-1175 has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks for the past three years, exploiting at least 16 vulnerabilities since 2023 and including CVE-2025-10035 in GoAnywhere Managed File Transfer. Microsoft said the activity has recently affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, with the group typically racing between vulnerability disclosure and patch adoption.
Show sources
- Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks — www.infosecurity-magazine.com — 07.04.2026 13:02
- Storm-1175 Deploys Medusa Ransomware at 'High Velocity' — www.darkreading.com — 07.04.2026 23:15
-
07.10.2025 11:15 1 articles · 7mo ago
Storm-1175 exploits CVE-2025-10035 in GoAnywhere for Medusa ransomware
Exploitation ObservedMicrosoft attributed Storm-1175 to exploiting CVE-2025-10035 in Fortra GoAnywhere MFT to gain initial access and deploy Medusa ransomware against affected GoAnywhere environments. The critical deserialization flaw can permit unauthenticated command injection and potential RCE, and Microsoft said activity has been observed since September 10-11, 2025. The post-exploitation chain includes dropping SimpleHelp and MeshAgent, creating .jsp files in GoAnywhere MFT directories, using mstsc.exe for lateral movement, running Rclone for exfiltration, and using a Cloudflare tunnel for C2.
Show sources
- Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware — thehackernews.com — 07.10.2025 11:15