Full Report
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems. "The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent
Analysis Summary
# Threat Actor: Storm-1175
## Attribution & Identity
* **Identification:** Storm-1175 is a China-based threat actor.
* **Aliases:** None specifically mentioned, though the actor is tracked by Microsoft Threat Intelligence.
* **Associations:** Linked to the deployment and operation of **Medusa Ransomware**.
## Activity Summary
Storm-1175 is characterized by a "high-velocity" operational tempo, specializing in the rapid weaponization of both zero-day and N-day vulnerabilities. Since 2023, the group has significantly increased its activity, transitioning from initial access to ransomware deployment often within 24 to 72 hours—and in some cases, under 24 hours. Recent operations (dating into early 2026) show a focus on exploiting internet-facing assets immediately following vulnerability disclosure to outpace organizational patching efforts.
## Tactics, Techniques & Procedures
* **Exploit Chaining:** Combining multiple vulnerabilities (e.g., OWASSRF) to facilitate post-compromise activity.
* **Rapid Perimeter Discovery:** Proficiency in identifying exposed internet-facing assets.
* **Persistence:** Creating new local user accounts and deploying web shells.
* **Lateral Movement:** Using legitimate Remote Monitoring and Management (RMM) software and PDQ Deployer.
* **Defense Evasion:** Modifying Windows Firewall policies to enable RDP and interfering with security solutions.
* **Credential Theft:** High proficiency in credential dumping.
* **Exfiltration:** Rapid data exfiltration prior to encryption.
**MITRE ATT&CK Techniques Mentioned:**
* **T1190:** Exploit Public-Facing Application
* **T1021.001:** Remote Services: Remote Desktop Protocol
* **T1003:** OS Credential Dumping
* **T1505.003:** Server Software Component: Web Shell
* **T1059.001:** Command and Scripting Interpreter: PowerShell
* **T1072:** Software Deployment Tools (PDQ Deployer)
* **T1047:** Windows Management Instrumentation (PsExec/LOLBins)
## Targeting
* **Sectors:** Healthcare, Education, Professional Services, and Finance.
* **Geography:** Australia, the United Kingdom, and the United States.
* **Victims:** Specific organizations not named, but noted "heavy impacts" on healthcare and vulnerable Oracle WebLogic instances.
## Tools & Infrastructure
* **Malware:** Medusa Ransomware.
* **Utilities/LOLBins:** PowerShell, PsExec, Mimikatz, Impacket, PDQ Deployer.
* **Remote Access:** Legitimate RMM software, Web shells.
* **Vulnerability Targets (Defanged):**
* CVE-2023-21529 (MS Exchange)
* CVE-2023-27351 / CVE-2023-27350 (Papercut)
* CVE-2023-46805 / CVE-2024-21887 (Ivanti)
* CVE-2024-1708 / CVE-2024-1709 (ConnectWise ScreenConnect)
* CVE-2024-27198 / CVE-2024-27199 (JetBrains TeamCity)
* CVE-2024-57726 / CVE-2024-57727 / CVE-2024-57728 (SimpleHelp)
* CVE-2025-31161 (CrushFTP)
* CVE-2025-10035 (Fortra GoAnywhere MFT - Zero-day)
* CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail - Zero-day)
* CVE-2026-1731 (BeyondTrust)
* Unspecified vulnerabilities in Oracle WebLogic (Linux-specific targeting).
## Implications
Storm-1175 represents a shift in ransomware operations where "high-tempo" execution minimizes the window for detection and response. Their ability to acquire or develop zero-day exploits and immediately apply them to high-value targets (like healthcare) suggests a sophisticated supply chain for exploits and a highly professionalized criminal operation. The expansion into Linux environments indicates a strategic broadening of their attack surface.
## Mitigations
* **Rapid Patch Management:** Prioritize patching of internet-facing assets (VPNs, Mail Servers, File Transfer tools) within 24 hours of disclosure.
* **RMM Monitoring:** Audit and restrict the use of Remote Monitoring and Management tools; monitor for unauthorized installations of PDQ Deployer.
* **Credential Protection:** Implement MFA and monitor for Impacket/Mimikatz activity (Credential Dumping).
* **Perimeter Hardening:** Use Attack Surface Management (ASM) tools to identify forgotten or unpatched internet-facing servers.
* **Egress Filtering:** Restrict servers from communicating with unauthorized external IP addresses to disrupt C2 and exfiltration.