Microsoft said a China-based cybercrime group it tracks as Storm-1175 has used n-day and zero-day exploits in fast-moving attacks tied to Medusa ransomware, with some vulnerabilities weaponized within a day and others before patches were released.
KEY FACTS
- Group Storm-1175 is linked to Medusa ransomware operations.
- Speed Microsoft said intrusions can move from access to exfiltration and ransomware in under 24 hours.
- Targets Recent attacks hit healthcare, education, professional services and finance in Australia, the United Kingdom and the United States.
- Exploits The group has used more than 16 vulnerabilities across 10 products.
The report said the operators often chain exploits to keep persistence, create new user accounts, deploy remote monitoring tools, steal credentials and disable security software before dropping ransomware.
Microsoft cited two examples of recent exploitation. In one case, Storm-1175 used a maximum-severity GoAnywhere MFT flaw, CVE-2025-10035, for more than a week before it was patched. In another, it abused CVE-2026-23760, an authentication bypass in SmarterTools’ SmarterMail server, as a zero-day.
The disclosure also said the group has exploited flaws in Microsoft Exchange, PaperCut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail and BeyondTrust. Microsoft said these campaigns suggest strong speed and exposure hunting, but that the group still mainly relies on n-day vulnerabilities.
CISA, the FBI and the Multi-State Information Sharing and Analysis Center warned in March 2025 that Medusa attacks had affected more than 300 critical infrastructure organizations in the United States. Microsoft also linked Storm-1175 to Black Basta and Akira attacks in July 2024 that exploited a VMware ESXi authentication-bypass flaw.
WHY IT MATTERS
The findings show how quickly ransomware groups can turn newly exposed software flaws into break-ins, leaving little time for defenders to patch systems. They also underline the risk of internet-facing services in sectors that handle sensitive data and essential operations.