A China-based cyber threat group, identified as Storm-1175, is actively exploiting a mix of zero-day and known vulnerabilities to facilitate rapid cyberattacks using Medusa ransomware. Their operations have significantly impacted sectors such as healthcare, education, professional services, and finance across countries including Australia, the UK, and the US, as reported by the Microsoft Threat Intelligence team.
Exploiting Vulnerabilities in Rapid Succession
Storm-1175 has demonstrated a remarkable ability to leverage vulnerabilities, including some that are undisclosed publicly, to gain initial access to target systems. The group’s strategy often involves chaining multiple exploits together, such as the OWASSRF vulnerability, to enhance their post-compromise activities.
Once access is secured, the threat actors move quickly to exfiltrate data and deploy Medusa ransomware. In certain cases, this deployment occurs within 24 hours, underlining the group’s efficiency and urgency in their operations.
Strategies for Persistence and Lateral Movement
The cybercriminals ensure persistence by creating new user accounts and deploying web shells or legitimate remote monitoring and management (RMM) software. These tools aid in lateral movement within networks, credential theft, and disabling security measures, creating pathways for ransomware deployment.
Since 2023, over 16 vulnerabilities have been attributed to Storm-1175’s exploitation efforts. Notably, zero-day exploits such as CVE-2025-10035 and CVE-2026-23760 were utilized before their public disclosure. The group’s focus has also included targeting Linux systems, with Oracle WebLogic instances being a particular point of interest.
Advanced Tactics and Implications
Storm-1175 utilizes advanced tactics, including living-off-the-land binaries (LOLBins) like PowerShell, PsExec, and Impacket for lateral movement. They also employ PDQ Deployer for distributing ransomware payloads and modify Windows Firewall settings to facilitate Remote Desktop Protocol (RDP) access.
Credential dumping is carried out using tools such as Impacket and Mimikatz, while data exfiltration is achieved using Bandizip and Rclone. The use of RMM tools like AnyDesk and Atera as dual-use infrastructure highlights a significant trend in cyber operations, enabling malicious activities to blend seamlessly with legitimate traffic, thereby evading detection.
These developments underscore the increasing sophistication of cyber threats and the need for organizations to stay vigilant and proactive in cybersecurity measures.
