🛡️ SecOps

Storm-1175 Deploys Medusa Ransomware Within 24 Hours Using Zero-Day Exploits

Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.

4 min read
#ransomware#medusa#storm-1175#zero-day#threat-intel#healthcare#china#smartermail#mft

Microsoft’s Attribution

In a detailed threat intelligence post published 6 April, Microsoft’s Security team attributed a high-tempo wave of Medusa ransomware deployments to Storm-1175, a China-based financially motivated threat actor. The group operates as a Medusa ransomware affiliate, procuring access to the ransomware payload and supporting infrastructure in exchange for a share of ransom proceeds, while bringing its own significant technical capability to the initial access and post-exploitation phases.

What distinguishes Storm-1175 from typical ransomware affiliates is the speed and sophistication of its exploitation chain. The group has been observed weaponising zero-day vulnerabilities within one week of private discovery — before patches exist — and accelerating to full ransomware deployment from initial access in some cases within 24 hours of gaining a foothold.

Key Vulnerabilities Being Exploited

Microsoft identified two specific vulnerabilities that Storm-1175 has incorporated into its attack chain:

CVE-2026-23760 — SmarterMail Authentication Bypass SmarterMail is an enterprise email server platform used by tens of thousands of organisations globally. This vulnerability allows unauthenticated attackers to bypass the authentication mechanism and gain administrative access to the mail server. Storm-1175 was observed exploiting CVE-2026-23760 prior to its public disclosure, indicating the group has access to zero-day research pipelines or is conducting its own vulnerability research against internet-facing enterprise applications.

CVE-2025-10035 — GoAnywhere Managed File Transfer RCE GoAnywhere MFT has been a repeated ransomware target since the Cl0p zero-day campaign in 2023. This vulnerability, now in the GoAnywhere stack, enables remote code execution without authentication. Storm-1175 incorporated this CVE into its playbook within days of disclosure — consistent with the group’s pattern of rapid n-day exploitation during the period between patch release and widespread adoption.

Attack Methodology

Following initial access through these web-facing vulnerabilities, Storm-1175 follows a consistent playbook:

  1. Web shell installation or deployment of a remote access tool (RAT) for persistent access
  2. Credential harvesting from the compromised host — targeting Active Directory, local admin hashes, and service account credentials
  3. Lateral movement using a combination of PowerShell, PsExec, RDP, and Cloudflare tunnels (which bypass traditional egress monitoring by tunnelling over HTTPS)
  4. Legitimate tool abuse — PDQ Deployer, Impacket, and other IT management tools are used to spread across the network, making detection harder against legitimate administrative activity
  5. Data exfiltration before encryption, establishing leverage for double extortion
  6. Medusa ransomware deployment across as many systems as possible simultaneously

The use of legitimate remote management and deployment tools is a deliberate anti-detection strategy. Storm-1175 has demonstrated significant operational security discipline, with dwell times deliberately minimised to limit the window for detection before ransomware deployment.

Sector Targeting

Storm-1175 has concentrated its recent activity on four sectors: healthcare, education, professional services, and finance, across the US, UK, and Australia. Healthcare and education organisations are typically under-resourced for security relative to the sensitivity of their data, and both sectors are under ongoing pressure to limit operational disruption — creating maximum leverage for ransomware operators.

The healthcare focus is particularly notable given the concurrent ChipSoft attack in the Netherlands (see separate coverage). While no link has been established between Storm-1175 and the ChipSoft incident, the simultaneous targeting of healthcare IT infrastructure across multiple continents underscores the severity of the sector’s ransomware threat landscape in April 2026.

Defensive Priorities

Immediate actions for affected industries:

  1. Patch SmarterMail immediately if running any version prior to the patch for CVE-2026-23760 — verify you are running a patched build
  2. Patch GoAnywhere MFT — apply the update addressing CVE-2025-10035; if you cannot patch immediately, restrict access to the administrative interface to internal networks only
  3. Review internet-facing application inventory — Storm-1175 targets any internet-accessible web application with a known vulnerability; perform an external attack surface assessment
  4. Audit Cloudflare tunnel usage — if you are not using Cloudflare tunnels legitimately, alert on any tunnel configuration creation; if you are using them, ensure all tunnels are accounted for and monitored

Detection signals:

  • Unexpected PowerShell execution from web application service accounts
  • PDQ Deployer or Impacket tooling activity outside normal change windows
  • SMB lateral movement from servers that do not typically initiate SMB connections
  • Large volume outbound transfers on HTTPS (443) to non-business cloud infrastructure

Strategic posture:

Storm-1175’s exploitation speed — from disclosure to deployment — means that the window to patch before becoming a target may be measured in days for high-profile vulnerabilities. Organisations with internet-facing enterprise applications should review their vulnerability management SLAs and consider reducing emergency patch timelines for CVSS ≥ 8.0 vulnerabilities in perimeter-facing software.