Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Storm-1175 high-velocity zero-day and N-day intrusion campaign

Campaign
First reported
Last updated
Happening score
H score 56
1 unique sources, 1 articles

Summary

Hide ▲

Storm-1175 is running a high-velocity intrusion campaign that chains zero-day and N-day vulnerabilities to gain initial access to exposed systems, raising the risk of rapid compromise and ransomware deployment. The activity is hitting healthcare, education, professional services, and finance organizations across Australia, the United Kingdom, and the United States. Once inside, the operators can exfiltrate data and deploy Medusa ransomware within days or even 24 hours.

Cases

Storm-1175 public-facing intrusion wave (1)

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

Lumma Stealer infection of a Context.ai employee

Malware Activity
First: 23.04.2026 11:40 Last: 23.04.2026 11:40 Sources 1

About this happening: A **Context.ai** employee was infected with **Lumma Stealer** in **February 2026**, giving attackers a likely foothold that may have seeded the wider compromise chain affecting **...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure

Campaign
First: 20.04.2026 23:02 Last: 20.04.2026 23:02 Sources 1

About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...

Open Happening

Timeline

  1. 07.04.2026 09:35 2 articles · 1mo ago

    Storm-1175 expands a multi-vulnerability Medusa campaign

    Campaign Scope Update

    Storm-1175, a China-based threat actor associated with Medusa ransomware, has been linked since 2023 to exploitation of more than 16 vulnerabilities across Microsoft Exchange Server, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, Fortra GoAnywhere MFT, SmarterTools SmarterMail, and BeyondTrust. The group uses zero-day and N-day vulnerabilities to gain initial access to internet-facing systems, including CVE-2025-10035 and CVE-2026-23760 as zero-days before public disclosure, and has also targeted Linux systems and vulnerable Oracle WebLogic instances in late 2024. After foothold acquisition, the operators use PowerShell, PsExec, Impacket, PDQ Deployer, Mimikatz, Rclone, web shells, and legitimate RMM software to move laterally, steal credentials, exfiltrate data, and deploy Medusa ransomware.

    Show sources
    Open in new tab