Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
First reported
Last updated
Happening score
H score 59
3 unique sources, 3 articles

Summary

Hide ▲

Storm-1175 is running a high-tempo Medusa ransomware campaign that has repeatedly exploited n-day and zero-day flaws to gain initial access before patching closes the window. Microsoft tied the group to CVE-2025-10035 in Fortra GoAnywhere MFT, a critical deserialization bug that can enable unauthenticated command injection and potential RCE, with activity observed since September 10-11, 2025. The campaign has affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, and post-exploitation activity has included SimpleHelp, MeshAgent, mstsc.exe, Rclone, and Cloudflare tunnel usage.

Cases

Related Happenings

BeyondTrust Remote Support and Privileged Remote Access critical fixes

Security Patch Release
H score38 First: 07.07.2026 08:16 Last: 07.07.2026 08:16 Sources 1

About this happening: **BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)

Vulnerability
H score39 First: 21.05.2026 10:49 Last: 21.05.2026 10:49 Sources 1

About this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...

OpenAI hit by cyberattack

Incident
H score38 First: 14.05.2026 22:07 Last: 14.05.2026 22:07 Sources 1

About this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...

Timeline

  1. 07.04.2026 13:02 2 articles · 3mo ago

    Microsoft discloses Storm-1175's high-tempo Medusa ransomware campaign

    Initial Disclosure

    Microsoft disclosed that Storm-1175 has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks for the past three years, exploiting at least 16 vulnerabilities since 2023 and including CVE-2025-10035 in GoAnywhere Managed File Transfer. Microsoft said the activity has recently affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, with the group typically racing between vulnerability disclosure and patch adoption.

    Show sources
  2. 07.10.2025 11:15 1 articles · 9mo ago

    Storm-1175 exploits CVE-2025-10035 in GoAnywhere for Medusa ransomware

    Exploitation Observed

    Microsoft attributed Storm-1175 to exploiting CVE-2025-10035 in Fortra GoAnywhere MFT to gain initial access and deploy Medusa ransomware against affected GoAnywhere environments. The critical deserialization flaw can permit unauthenticated command injection and potential RCE, and Microsoft said activity has been observed since September 10-11, 2025. The post-exploitation chain includes dropping SimpleHelp and MeshAgent, creating .jsp files in GoAnywhere MFT directories, using mstsc.exe for lateral movement, running Rclone for exfiltration, and using a Cloudflare tunnel for C2.

    Show sources