Microsoft has formally attributed an ongoing wave of Medusa ransomware deployments to Storm-1175, a China-based financially motivated cybercriminal group operating with an unusually broad and aggressive exploit arsenal. The attribution, published by Microsoft Threat Intelligence, reveals a threat actor capable of leveraging 16 or more vulnerabilities across 10 different software products — including two active zero-days — to achieve rapid network compromise and ransomware deployment.
Storm-1175: Threat Actor Profile
Storm-1175 is classified as a financially motivated cybercriminal group with China-based infrastructure. Unlike many ransomware affiliates who rely on a narrow set of initial access techniques, Storm-1175 maintains a diverse and continuously updated portfolio of exploits targeting enterprise software at scale.
Microsoft's investigation found the group can move "from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours" — a pace that places them among the most operationally efficient ransomware actors currently tracked.
Zero-Day Arsenal
Storm-1175 has been confirmed deploying two specific zero-day vulnerabilities:
CVE-2026-23760 — SmarterTools SmarterMail Authentication Bypass
An authentication bypass vulnerability in SmarterMail, the widely deployed business email server. The flaw allowed Storm-1175 to gain unauthorized access to mail server environments without valid credentials — a particularly high-value initial foothold given the volume of sensitive data traversing enterprise email infrastructure.
CVE-2025-10035 — GoAnywhere Managed File Transfer
A maximum-severity vulnerability in Fortra's GoAnywhere MFT platform. Microsoft confirmed Storm-1175 exploited this flaw over one week before the vendor released a patch, meaning targeted organizations had no remediation option available at the time of compromise.
Broader N-Day Exploitation
Beyond the two active zero-days, Storm-1175 has demonstrated sustained capability across a wide range of enterprise software vulnerabilities:
| Software | CVE(s) |
|---|---|
| Microsoft Exchange | CVE-2023-21529 |
| PaperCut MF/NG | CVE-2023-27351, CVE-2023-27350 |
| Ivanti Connect Secure | CVE-2023-46805, CVE-2024-21887 |
| ConnectWise ScreenConnect | CVE-2024-1709, CVE-2024-1708 |
| JetBrains TeamCity | Multiple |
| SimpleHelp | Multiple |
| CrushFTP | Multiple |
| BeyondTrust | Multiple |
The breadth of this portfolio — spanning email, file transfer, VPN, print management, CI/CD, and remote access platforms — reflects a threat actor that systematically targets the perimeter of enterprise environments regardless of the specific software stack in use.
Post-Compromise Attack Chain
After establishing initial access, Storm-1175 follows a consistent multi-stage pattern:
1. Initial Access
└── Zero-day or n-day exploitation of web-facing systems
2. Persistence
└── Immediate creation of new user accounts
└── Deployment of RMM tools (ScreenConnect, AnyDesk, SimpleHelp)
3. Credential Harvesting
└── Extraction of stored credentials
└── Disabling of security and endpoint protection software
4. Data Exfiltration
└── Sensitive files stolen for double-extortion leverage
5. Ransomware Deployment
└── Medusa ransomware payload detonated across network
The reliance on legitimate remote management tools during post-compromise operations is a deliberate choice to evade detection — these tools are commonly whitelisted in enterprise environments and generate traffic that blends with normal IT activity.
Impact and Victim Sectors
Storm-1175's Medusa deployments have targeted organizations across Australia, the United Kingdom, and the United States, with CISA estimating that Medusa ransomware has affected more than 300 critical infrastructure organizations in the US alone.
Primary target sectors include:
- Healthcare — hospitals, medical centers, healthcare systems
- Education — universities and school districts
- Professional services — law firms, consulting
- Financial services — banks and financial institutions
Microsoft's Detection and Mitigation Guidance
Microsoft recommends organizations prioritize the following defensive measures given Storm-1175's tactics:
- Patch SmarterMail and GoAnywhere MFT immediately if CVE-2026-23760 or CVE-2025-10035 remain unpatched in your environment
- Audit remote management tool usage — detect ConnectWise ScreenConnect, AnyDesk, or SimpleHelp deployments outside approved IT workflows
- Monitor for unexpected privileged account creation — a consistent early-stage persistence indicator for this group
- Enable MFA across all internet-facing systems — reduces the blast radius of credential-based lateral movement
- Segment networks to prevent ransomware from propagating from an initial beachhead across the entire environment
Sources: BleepingComputer, Microsoft Threat Intelligence