A prominent threat group based in China has been associated with the deployment of Medusa ransomware, recently leveraging a mix of zero-day and N-day vulnerabilities to execute rapid and sophisticated attacks on vulnerable internet-facing systems. This group’s operational speed and adeptness at identifying exposed network assets have led to significant impacts on various sectors, particularly healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States, as highlighted by Microsoft’s Threat Intelligence team.
The group, identified as Storm-1175, executes attacks using zero-day exploits, sometimes even before these vulnerabilities have been publicly acknowledged. By chaining multiple exploits together, as seen in select cases involving techniques like OWASSRF, Storm-1175 facilitates post-compromise activities. Once a foothold is established, these financially motivated actors swiftly begin data exfiltration and ransomware deployment, often complete within days or, in certain incidents, even within 24 hours.
To deepen their access and ensure persistence, Storm-1175 employs a variety of techniques, including the creation of new user accounts, the deployment of web shells, and utilizing legitimate remote monitoring and management software to facilitate lateral movement. The group also focuses on credential theft and compromises security solutions before finalizing the deployment of ransomware.
Since the beginning of 2023, Storm-1175 has exploited over 16 vulnerabilities, including significant ones like CVE-2023-21529 affecting Microsoft Exchange Server and CVE-2023-27351 related to Papercut software. Their capability extends to exploiting both known vulnerabilities and zero-days, such as CVE-2025-10035 and CVE-2026-23760. Recently, the group has targeted Linux systems as well, exploiting vulnerable Oracle WebLogic instances, although the specific vulnerabilities in these attacks remain unidentified.
Microsoft noted that Storm-1175 effectively rotates exploits during the vulnerable window between disclosure and patch availability, capitalizing on this gap where many organizations remain unprotected. Some tactics observed in their operations include the use of living-off-the-land binaries for lateral movement, modifications to Windows Firewall policies, credential dumping via tools like Mimikatz, and configuring exclusions in Microsoft Defender Antivirus to bypass ransomware detection.
A concerning implication is the growing use of remote monitoring and management tools—such as AnyDesk and ConnectWise ScreenConnect—by threat actors. These platforms offer a means to blend malicious activity within legitimate traffic, significantly reducing detection risks.