CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm-1175 ransomware operations leveraging n-day and zero-day exploits in Medusa campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Storm-1175, a financially motivated cybercrime group, has conducted high-tempo Medusa ransomware attacks over the past three years by exploiting both n-day and zero-day vulnerabilities during the patch gap between disclosure and remediation. The actor primarily targets exposed perimeter assets, achieving initial access via web shells or remote access payloads and deploying ransomware within one to six days. Victims include healthcare, education, professional services, and finance sectors across Australia, the UK, and the US. Since 2023, Storm-1175 has weaponized at least 16 vulnerabilities, including the zero-day CVE-2025-10035 in GoAnywhere Managed File Transfer, exploited one week prior to public disclosure.

Timeline

  1. 07.04.2026 13:02 1 articles · 10h ago

    Storm-1175 ransomware campaign exploiting n-day and zero-day vulnerabilities in Medusa attacks

    Microsoft reports that Storm-1175 has conducted high-tempo Medusa ransomware attacks since 2023 by weaponizing vulnerabilities during the patch gap period. The actor exploits exposed perimeter assets, establishes initial access via web shells or remote access payloads, and deploys ransomware within 1–6 days. At least 16 vulnerabilities have been exploited, including the zero-day CVE-2025-10035 in GoAnywhere Managed File Transfer, exploited one week prior to public disclosure. Targeted sectors include healthcare, education, professional services, and finance across Australia, the UK, and the US.

    Show sources
    Open in new tab

Information Snippets

  • Storm-1175 is a financially motivated cybercrime group conducting Medusa ransomware attacks with high operational tempo, exploiting vulnerabilities during the patch gap period.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources

  • The group has exploited at least 16 vulnerabilities since 2023, including three zero-days such as CVE-2025-10035 in GoAnywhere Managed File Transfer, exploited one week before public disclosure.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources

  • Storm-1175 targets exposed perimeter assets, establishing initial access via web shells or remote access payloads and deploying ransomware within 1–6 days.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources

  • Affected sectors include healthcare, education, professional services, and finance in Australia, the UK, and the US.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources

  • TTPs include creating web shells, dropping remote access payloads, establishing persistence via new admin accounts, and using LOLBins (PowerShell, PsExec), Cloudflare tunnels, Impacket, and PDQ Deployer for lateral movement and payload delivery.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources

  • The group has exploited vulnerabilities in Exchange, PaperCut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.

    First reported: 07.04.2026 13:02
    1 source, 1 article
    Show sources