Microsoft has identified a China-based cybercriminal group, Storm-1175, as a key operator behind high-speed ransomware campaigns using zero-day and n-day vulnerabilities.
According to the company, the group—known for deploying Medusa ransomware—has been carrying out fast-paced attacks, often exploiting vulnerabilities within days or even before official patches are released.
“Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours,” Microsoft said.
The attacks have impacted sectors including healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States.
Microsoft observed that the group uses multiple exploits in sequence to maintain access. Once inside a system, attackers create new user accounts, deploy remote monitoring tools, steal credentials, and disable security systems before launching ransomware.
The group has demonstrated the ability to exploit vulnerabilities even before patches are available. In one instance, Storm-1175 targeted a critical GoAnywhere MFT flaw (CVE-2025-10035) more than a week before it was patched. It also exploited CVE-2026-23760, an authentication bypass flaw in SmarterMail, as a zero-day.
“While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175… these factors may have helped to facilitate subsequent zero-day exploitation activity,” Microsoft noted, adding that the group still primarily relies on n-day vulnerabilities.
Recent campaigns show the group exploiting over 16 vulnerabilities across 10 software platforms. These include Microsoft Exchange, Papercut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust.
Authorities have already flagged the threat. In March 2025, CISA, along with the FBI and MS-ISAC, warned that Medusa ransomware attacks had impacted more than 300 critical infrastructure organisations in the United States.
Earlier, in July 2024, Microsoft linked Storm-1175 and other groups to ransomware campaigns such as Black Basta and Akira, which exploited a VMware ESXi authentication-bypass flaw.
The findings highlight the growing speed and sophistication of cyberattacks, with threat actors increasingly targeting newly discovered vulnerabilities to maximise impact.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
