Advanced Cyber Threats: The Rise of Medusa Ransomware and Storm-1175
Recent security updates from cybersecurity specialists reveal alarming activities linked to a China-based threat actor known as Storm-1175. This group has gained notoriety for deploying Medusa ransomware by exploiting a sophisticated combination of zero-day and N-day vulnerabilities to launch high-velocity attacks against vulnerable internet-facing systems.
The Microsoft Threat Intelligence team has documented the rapid operational tempo at which Storm-1175 operates, highlighting its adeptness at identifying exposed perimeter assets. This capability has resulted in significant intrusions that have adversely affected a variety of sectors, particularly healthcare, education, professional services, and finance. These attacks have been reported in notable regions, including Australia, the United Kingdom, and the United States.
Moreover, recent investigations indicate that Storm-1175 utilizes zero-day exploits, sometimes acting on vulnerabilities before they are publicly disclosed. Their strategy includes leveraging recently disclosed vulnerabilities as initial access points. Intriguingly, some incidents have demonstrated the group’s ability to chain multiple exploits, including the OWASSRF attack, which is employed during post-compromise activities to enhance their access and control over infected systems.
Once Storm-1175 successfully gains access to a system, their approach is strikingly swift and efficient. The group reportedly exfiltrates sensitive data and deploys Medusa ransomware within just a few days, with some incidents occurring within a mere 24 hours. This rapid implementation underscores the group’s financial motivations and highlights the severe risks posed by their cyber operations.
To facilitate these operations, Storm-1175 has exhibited a tactical approach aimed at establishing persistence within compromised systems. They create new user accounts, deploy web shells, and utilize legitimate remote monitoring and management (RMM) software, which aids lateral movement across networks. Their methods also involve credential theft and disrupting the normal functioning of security solutions to set the stage for deploying ransomware.
In 2023 alone, it has been reported that Storm-1175 exploited more than 16 different vulnerabilities, showcasing their broad arsenal for attack. Among these, two specific vulnerabilities—CVE-2025-10035 and CVE-2026-23760—were prominently exploited as zero-days before public disclosure. As the year progressed, the hacking group increasingly targeted Linux systems, especially through vulnerabilities found in Oracle WebLogic instances. However, the specific vulnerabilities utilized in these attacks remain unclear.
Microsoft emphasizes that Storm-1175 adeptly rotates through exploits quickly during the critical period between a vulnerability’s disclosure and the time when patches are available or adopted by organizations. This timing allows the group to exploit systems that remain unprotected, significantly increasing the chances of a successful attack.
Several notable tactics and techniques have been documented in connection with Storm-1175’s operations. These include utilizing living-off-the-land binaries (LOLBins) such as PowerShell and PsExec for lateral movement, employing PDQ Deployer for lateral movement and payload delivery across networks, and modifying Windows Firewall policies to enable Remote Desktop Protocol (RDP). Furthermore, their attacks often include credential dumping using tools like Impacket and Mimikatz, while maneuvering to configure Microsoft Defender Antivirus exclusions to avoid detection of ransomware payloads.
The implications of these methods extend beyond individual organizations. The use of RMM tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, and SimpleHelp indicates a concerning trend where these systems become dual-use infrastructures for covert operations. This practice allows threat actors to obscure malicious activities by blending them into legitimate, trusted, and encrypted traffic, thereby reducing the likelihood of detection by security mechanisms.
In conclusion, the emergence of Storm-1175 and their deployment of Medusa ransomware highlights the ever-evolving landscape of cyber threats. Organizations globally must remain vigilant and proactive in implementing robust security measures to safeguard their networks against such sophisticated attacks. The increasing frequency and complexity of these cyber threats underline the critical need for heightened awareness and preparedness within the cybersecurity community.