Key Findings

• China-based Storm-1175 executes rapid ransomware attacks, sometimes completing full intrusions within 24 hours

• The group exploits newly disclosed vulnerabilities before organizations can patch them, leveraging over 16 different flaws since 2023

• Primary targets include healthcare, education, finance, and services sectors across the US, UK, and Australia

• Storm-1175 has weaponized zero-day exploits before public disclosure, demonstrating advanced capabilities

• The group deploys Medusa ransomware following a consistent pattern of persistence, lateral movement, credential theft, and security evasion

• Their speed and focus on unpatched systems give them significant advantage over defenders

Background

Storm-1175 operates as a financially motivated threat actor based in China, focused on conducting rapid ransomware campaigns. Microsoft Threat Intelligence has been tracking the group since 2023, documenting a consistent pattern of targeting exposed internet-facing systems and moving quickly from initial breach to data exfiltration and ransomware deployment. The group's operational tempo and ability to identify vulnerable perimeter assets have made them particularly effective against organizations that lag in applying security patches.

Exploitation Strategy and Vulnerability Targeting

Storm-1175's primary tactic involves exploiting newly disclosed vulnerabilities within days or even hours of their public release. The group has been observed weaponizing flaws in widely used platforms including Microsoft Exchange, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, and various other web-facing systems. What distinguishes this group is their willingness to exploit zero-day vulnerabilities before public disclosure, as demonstrated with CVE-2025-10035 and CVE-2026-23760.

The group frequently chains multiple exploits together to achieve deeper access and remote code execution capabilities. This technique allows them to progressively escalate privileges and move from initial entry points to critical systems. They target both Windows and Linux environments, with recent activity showing interest in vulnerable Oracle WebLogic instances.

Initial Access and Persistence

Once Storm-1175 gains initial access through an unpatched vulnerability, they move quickly to establish persistence. The group creates new administrative user accounts to maintain backdoor access even if the original vulnerability is patched. They deploy web shells on compromised systems and install legitimate remote monitoring and management software to blend their traffic with trusted communications.

The use of RMM tools like AnyDesk, Atera, ConnectWise ScreenConnect, and SimpleHelp presents a significant challenge for defenders, as these tools encrypt traffic and are often whitelisted in network environments. This allows attackers to operate openly while appearing to be legitimate administrative activity.

Lateral Movement and Credential Theft

Storm-1175 leverages a combination of legitimate administrative tools and living-off-the-land binaries to move across networks. PowerShell, PsExec, and Impacket are commonly used for lateral movement, while PDQ Deployer enables both lateral spread and payload delivery across multiple systems simultaneously.

The group prioritizes credential theft using tools like Mimikatz and Impacket, targeting the LSASS process and enabling WDigest caching to capture passwords in cleartext. After gaining administrative access, they extract credentials from backup systems and pivot to domain controllers to access Active Directory and harvest system data. This approach gives them the ability to move laterally with legitimate credentials, making detection significantly more difficult.

Security Evasion and Defense Weakening

Before deploying ransomware, Storm-1175 systematically weakens security defenses. The group modifies Microsoft Defender Antivirus settings directly through the Windows registry, adding exclusions to prevent the antivirus from blocking ransomware payloads. They also manipulate Windows Firewall policies to enable Remote Desktop Protocol access and facilitate malicious payload delivery.

This level of defense tampering requires highly privileged account access, making it critical for organizations to closely monitor and alert on credential theft activities as early warning signs of active compromise.

Data Exfiltration and Ransomware Deployment

Following credential theft and network compromise, Storm-1175 uses tools like Bandizip and Rclone to collect and exfiltrate sensitive data. Files are typically compressed before transmission to maximize efficiency and reduce the window of detection opportunity.

The final stage involves deploying Medusa ransomware across the network using either PDQ Deployer or Group Policy Objects. This dual approach ensures maximum coverage and reduces the likelihood that some systems will escape encryption. The entire process from initial access to ransomware deployment can occur within 24 hours on compromised networks, leaving minimal time for detection and response.

Defensive Recommendations

Organizations should prioritize immediate patching of disclosed vulnerabilities, particularly for internet-facing systems, as Storm-1175 demonstrates the ability to weaponize flaws within days of disclosure. Monitoring for credential theft activities and unauthorized account creation serves as an early warning system for active compromises. Restricting the use of RMM tools and implementing strict controls around legitimate administrative utilities like PDQ Deployer, PowerShell, and PsExec can reduce the attack surface available to threat actors operating within networks.

Sources

• https://securityaffairs.com/190440/cyber-crime/fast-moving-storm-1175-uses-new-exploits-to-breach-networks-and-drop-medusa.html

• https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html