Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
China’s Storm-1175 Launches Rapid Medusa Ransomware Attacks

China’s Storm-1175 Launches Rapid Medusa Ransomware Attacks

Posted on April 7, 2026 By CWS

A China-based cyber threat group, identified as Storm-1175, is actively exploiting a mix of zero-day and known vulnerabilities to facilitate rapid cyberattacks using Medusa ransomware. Their operations have significantly impacted sectors such as healthcare, education, professional services, and finance across countries including Australia, the UK, and the US, as reported by the Microsoft Threat Intelligence team.

Exploiting Vulnerabilities in Rapid Succession

Storm-1175 has demonstrated a remarkable ability to leverage vulnerabilities, including some that are undisclosed publicly, to gain initial access to target systems. The group’s strategy often involves chaining multiple exploits together, such as the OWASSRF vulnerability, to enhance their post-compromise activities.

Once access is secured, the threat actors move quickly to exfiltrate data and deploy Medusa ransomware. In certain cases, this deployment occurs within 24 hours, underlining the group’s efficiency and urgency in their operations.

Strategies for Persistence and Lateral Movement

The cybercriminals ensure persistence by creating new user accounts and deploying web shells or legitimate remote monitoring and management (RMM) software. These tools aid in lateral movement within networks, credential theft, and disabling security measures, creating pathways for ransomware deployment.

Since 2023, over 16 vulnerabilities have been attributed to Storm-1175’s exploitation efforts. Notably, zero-day exploits such as CVE-2025-10035 and CVE-2026-23760 were utilized before their public disclosure. The group’s focus has also included targeting Linux systems, with Oracle WebLogic instances being a particular point of interest.

Advanced Tactics and Implications

Storm-1175 utilizes advanced tactics, including living-off-the-land binaries (LOLBins) like PowerShell, PsExec, and Impacket for lateral movement. They also employ PDQ Deployer for distributing ransomware payloads and modify Windows Firewall settings to facilitate Remote Desktop Protocol (RDP) access.

Credential dumping is carried out using tools such as Impacket and Mimikatz, while data exfiltration is achieved using Bandizip and Rclone. The use of RMM tools like AnyDesk and Atera as dual-use infrastructure highlights a significant trend in cyber operations, enabling malicious activities to blend seamlessly with legitimate traffic, thereby evading detection.

These developments underscore the increasing sophistication of cyber threats and the need for organizations to stay vigilant and proactive in cybersecurity measures.

The Hacker News Tags:cyber threat actors, Cybersecurity, education sector, finance sector, healthcare attacks, Linux systems, Medusa ransomware, Microsoft intelligence, RMM tools, Storm-1175, web shells, zero-day vulnerabilities

Post navigation

Previous Post: Storm-1175 Exploits Internet Vulnerabilities in Medusa Attacks
Next Post: Critical Vulnerability Exposes 50,000 WordPress Sites

Related Posts

Anthropic’s Claude Code Leak: Human Error Leads to Source Code Exposure Anthropic’s Claude Code Leak: Human Error Leads to Source Code Exposure The Hacker News
295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager 295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager The Hacker News
Survey of 100+ Energy Systems Reveals Critical OT Cybersecurity Gaps Survey of 100+ Energy Systems Reveals Critical OT Cybersecurity Gaps The Hacker News
Microsoft Highlights Hotel Phishing Threat with Node.js Microsoft Highlights Hotel Phishing Threat with Node.js The Hacker News
Linux Rootkits and AI Intrusions: Key Security Threats Linux Rootkits and AI Intrusions: Key Security Threats The Hacker News
Why Default Passwords Must Go Why Default Passwords Must Go The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw
  • Security Issues Found in Popular Android VPN Apps
  • AI-Powered Forg365 Platform Targets Microsoft 365 Accounts
  • CISA Reviews Cybersecurity Incident from AWS Credential Leak

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw
  • Security Issues Found in Popular Android VPN Apps
  • AI-Powered Forg365 Platform Targets Microsoft 365 Accounts
  • CISA Reviews Cybersecurity Incident from AWS Credential Leak

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark