A cyber threat group associated with China, identified as Storm-1175, has been observed conducting rapid and highly coordinated cyberattacks by exploiting both undisclosed (zero-day) and known (N-day) vulnerabilities. The group is primarily focused on deploying Medusa ransomware across compromised systems.
Security researchers from Microsoft Threat Intelligence report that the attackers are capable of executing high-speed intrusions, often breaching systems within hours or days of identifying weaknesses in publicly exposed infrastructure.
Widespread Impact Across Critical Sectors
The campaign has significantly affected organizations across multiple industries, including healthcare, education, financial services, and professional sectors. Countries impacted include Australia, the United Kingdom, and the United States.
The attackers demonstrate strong capabilities in identifying vulnerable internet-facing systems, making them particularly dangerous to organizations with weak perimeter defenses.
Exploiting Vulnerabilities Before and After Disclosure
One of the most concerning aspects of this campaign is the group’s ability to exploit vulnerabilities even before they are publicly disclosed. In addition, they rapidly weaponize newly announced flaws before organizations have time to patch them.
In several incidents, the attackers combined multiple vulnerabilities, such as server-side request forgery techniques, to strengthen their post-compromise operations and deepen system access.
Rapid Attack Execution and Ransomware Deployment
After gaining initial access, the attackers move quickly to achieve their objectives. In many cases, data theft and ransomware deployment occur within just a few days, while some attacks have been completed in less than 24 hours.
To maintain access and expand control, the group uses several techniques:
- Creating unauthorized user accounts for persistence
- Deploying web shells and remote management tools
- Stealing credentials for lateral movement
- Disabling or bypassing security protections
Once the environment is fully compromised, the attackers deploy ransomware to encrypt systems and demand payment.
Extensive Exploitation of Known Vulnerabilities
Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities across widely used enterprise software. These include platforms such as Microsoft Exchange, Ivanti systems, ConnectWise tools, JetBrains TeamCity, and others.
Notably, vulnerabilities like CVE-2025-10035 and CVE-2026-23760 were reportedly exploited as zero-days, meaning they were actively used before public disclosure or patch availability.
The group also shows increasing interest in Linux-based systems, targeting platforms such as Oracle WebLogic servers, although the exact vulnerabilities used in these cases remain unclear.
Advanced Techniques Used in Attacks
The attackers rely on a combination of legitimate tools and malicious techniques to avoid detection and maintain control:
- Use of built-in system tools (LOLBins) like PowerShell and PsExec
- Deployment of Impacket for remote execution and lateral movement
- Leveraging PDQ Deploy for distributing ransomware across networks
- Modifying firewall settings to enable Remote Desktop Protocol (RDP) access
- Extracting credentials using tools like Mimikatz
- Disabling Microsoft Defender protections through exclusion settings
- Using Bandizip for data collection and Rclone for exfiltration
Abuse of Legitimate Remote Management Tools
A key trend observed in these attacks is the misuse of legitimate remote monitoring and management tools. Software such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, and SimpleHelp are being used as dual-purpose tools.
Because these platforms operate over encrypted and trusted channels, attackers can blend malicious activity with normal network traffic, making detection significantly more difficult.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
