Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
Storm-1175 is running a high-velocity intrusion campaign that chains zero-day and N-day vulnerabilities to gain initial access to exposed systems, raising the risk of rapid compromise and ransomware deployment. The activity is hitting healthcare, education, professional services, and finance organizations across Australia, the United Kingdom, and the United States. Once inside, the operators can exfiltrate data and deploy Medusa ransomware within days or even 24 hours.
Cases
Related Happenings
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch Release
H score38
First: 07.07.2026 08:16
Last: 07.07.2026 08:16
Sources 1
About this happening:
**BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch ReleaseAbout this happening: **BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseAbout this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Timeline
-
07.04.2026 09:35 2 articles · 3mo ago
Storm-1175 expands a multi-vulnerability Medusa campaign
Campaign Scope UpdateStorm-1175, a China-based threat actor associated with Medusa ransomware, has been linked since 2023 to exploitation of more than 16 vulnerabilities across Microsoft Exchange Server, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, Fortra GoAnywhere MFT, SmarterTools SmarterMail, and BeyondTrust. The group uses zero-day and N-day vulnerabilities to gain initial access to internet-facing systems, including CVE-2025-10035 and CVE-2026-23760 as zero-days before public disclosure, and has also targeted Linux systems and vulnerable Oracle WebLogic instances in late 2024. After foothold acquisition, the operators use PowerShell, PsExec, Impacket, PDQ Deployer, Mimikatz, Rclone, web shells, and legitimate RMM software to move laterally, steal credentials, exfiltrate data, and deploy Medusa ransomware.
Show sources
- China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware — thehackernews.com — 07.04.2026 09:35
- China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware — thehackernews.com — 07.04.2026 09:35