Storm-1175 high-tempo Medusa ransomware campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-1175 is running a high-tempo Medusa ransomware campaign that has repeatedly exploited n-day and zero-day flaws to gain initial access before patching closes the window. Microsoft tied the group to CVE-2025-10035 in Fortra GoAnywhere MFT, a critical deserialization bug that can enable unauthenticated command injection and potential RCE, with activity observed since September 10-11, 2025. The campaign has affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, and post-exploitation activity has included SimpleHelp, MeshAgent, mstsc.exe, Rclone, and Cloudflare tunnel usage.
Cases
Related Happenings
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch Release
H score38
First: 07.07.2026 08:16
Last: 07.07.2026 08:16
Sources 1
About this happening:
**BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch ReleaseAbout this happening: **BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
H score39
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
OpenAI hit by cyberattack
Incident
H score38
First: 14.05.2026 22:07
Last: 14.05.2026 22:07
Sources 1
About this happening:
OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
OpenAI hit by cyberattack
IncidentAbout this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
Timeline
-
07.04.2026 13:02 2 articles · 3mo ago
Microsoft discloses Storm-1175's high-tempo Medusa ransomware campaign
Initial DisclosureMicrosoft disclosed that Storm-1175 has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks for the past three years, exploiting at least 16 vulnerabilities since 2023 and including CVE-2025-10035 in GoAnywhere Managed File Transfer. Microsoft said the activity has recently affected healthcare, education, professional services, and finance organizations in Australia, the UK, and the US, with the group typically racing between vulnerability disclosure and patch adoption.
Show sources
- Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks — www.infosecurity-magazine.com — 07.04.2026 13:02
- Storm-1175 Deploys Medusa Ransomware at 'High Velocity' — www.darkreading.com — 07.04.2026 23:15
-
07.10.2025 11:15 1 articles · 9mo ago
Storm-1175 exploits CVE-2025-10035 in GoAnywhere for Medusa ransomware
Exploitation ObservedMicrosoft attributed Storm-1175 to exploiting CVE-2025-10035 in Fortra GoAnywhere MFT to gain initial access and deploy Medusa ransomware against affected GoAnywhere environments. The critical deserialization flaw can permit unauthenticated command injection and potential RCE, and Microsoft said activity has been observed since September 10-11, 2025. The post-exploitation chain includes dropping SimpleHelp and MeshAgent, creating .jsp files in GoAnywhere MFT directories, using mstsc.exe for lateral movement, running Rclone for exfiltration, and using a Cloudflare tunnel for C2.
Show sources
- Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware — thehackernews.com — 07.10.2025 11:15