Storm-1175 Rapidly Exploits Web-Facing Flaws to Deploy Medusa Ransomware
Microsoft said threat actor Storm-1175 is running high-tempo intrusions that exploit newly disclosed and, in some cases, previously unknown vulnerabilities in internet-facing systems to steal data and deploy Medusa ransomware within days or even 24 hours. The financially motivated group has heavily impacted healthcare organizations and also targeted education, professional services, and finance in Australia, the United Kingdom, and the United States. Since 2023, the actor has exploited more than 16 flaws across products including Microsoft Exchange, PaperCut, Ivanti, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, SAP NetWeaver, and BeyondTrust, with Microsoft also observing zero-day use against SmarterMail and GoAnywhere before public disclosure.
After gaining access, Storm-1175 establishes persistence with new administrator accounts, web shells, and remote management tools, then moves laterally using LOLBins, Impacket, PDQ Deployer, and Cloudflare tunnels while stealing credentials from LSASS, NTDS.dit, SAM, and backup systems. Microsoft said the actor tampers with Microsoft Defender settings to reduce detection, uses Bandizip and Rclone for collection and exfiltration, and deploys Medusa through PDQ Deployer or Group Policy; the group has also shown interest in Linux targets such as vulnerable Oracle WebLogic servers. Microsoft urged organizations to reduce exposure of web-facing assets, patch quickly, enforce MFA on approved RMM tools, restrict local administrator rights, and enable protections such as Credential Guard, tamper protection, and Defender XDR attack disruption features.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes technical analysis and mitigations on Storm-1175
Microsoft Threat Intelligence publicly profiled Storm-1175 as a financially motivated actor associated with Medusa ransomware and detailed its exploitation, persistence, credential theft, lateral movement, exfiltration, and defense-evasion techniques. The company also issued mitigation guidance focused on reducing exposure of web-facing assets and hardening defenses such as Credential Guard, tamper protection, MFA, and Defender XDR protections.
Storm-1175 heavily impacts healthcare and other sectors in three countries
Across its campaigns, Storm-1175 significantly affected healthcare organizations and also targeted education, professional services, and finance entities in Australia, the United Kingdom, and the United States. Microsoft said the actor maintained a high operational tempo across these sectors.
Storm-1175 uses zero-days in SmarterMail and GoAnywhere before disclosure
Microsoft observed Storm-1175 exploiting zero-day vulnerabilities in SmarterMail and GoAnywhere MFT before those flaws were publicly disclosed. This showed the actor was not limited to patch-gap exploitation and could also leverage previously unknown vulnerabilities.
Storm-1175 begins exploiting vulnerable internet-facing systems
Since 2023, Microsoft observed Storm-1175 conducting high-tempo intrusions by rapidly weaponizing newly disclosed N-day vulnerabilities in web-facing products such as Exchange, PaperCut, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, SAP NetWeaver, and BeyondTrust. The actor often moved from exploitation to credential theft, data exfiltration, and Medusa ransomware deployment within days or as little as 24 hours.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure
hackread.com
Open sourceNew CUPS vulnerabilities threaten RCE, network breaches | brief | SC Media
scworld.com
Open sourceFast-moving Storm-1175 uses new exploits to breach networks and drop Medusa
securityaffairs.com
Open sourceChina-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
thehackernews.com
Open sourceStorm-1175 Deploys Medusa Ransomware at 'High Velocity'
darkreading.com
Open sourceStorm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | Microsoft Security Blog
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
Mar 21, 2026
DragonForce and Medusa Ransomware Exploitation of SimpleHelp RMM Vulnerabilities
Two major Ransomware-as-a-Service (RaaS) groups, Medusa and DragonForce, have been identified exploiting critical vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform to gain SYSTEM-level access across managed service provider (MSP) environments. The attackers leveraged three specific flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to compromise RMM servers, pivot into downstream customer networks, and deploy ransomware payloads. Medusa operators used legitimate IT management tools like PDQ Inventory and PDQ Deploy to distribute ransomware, disable Microsoft Defender, and exfiltrate sensitive data using RClone, while DragonForce was also observed exploiting these flaws for similar access and impact. The attacks resulted in widespread file encryption, ransom notes, and double-extortion tactics, with stolen data posted on dark web leak sites and promoted via Telegram. The campaigns highlight the significant risk posed by unpatched RMM platforms in the IT supply chain, as attackers can rapidly escalate privileges and impact multiple organizations through a single compromised MSP. Security researchers emphasize the need for immediate patching of SimpleHelp RMM vulnerabilities and enhanced monitoring of MSP environments to mitigate further exploitation by ransomware groups.
Mar 21, 2026
Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
**Ransomware activity is increasingly blending into normal IT operations** by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the **Crazy** ransomware gang where attackers deployed *Net Monitor for Employees Professional* and the *SimpleHelp* remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via `msiexec.exe` directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., `vshost.exe`) and paths such as `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`. In parallel, ransomware groups have been observed **actively exploiting recently patched SmarterTools SmarterMail vulnerabilities** that enable unauthenticated compromise of mail servers. SC Media reported that CISA added **CVE-2026-24423** to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s `ConnectToHub` API by delivering a malicious OS command from a remote server. A second issue, **CVE-2026-23760**, allows authentication bypass through the password reset API (`force-reset-password`) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as **Storm-2603**, which reportedly chained the bypass with SmarterMail’s *Volume Mount* feature to reach RCE, activity assessed as staging consistent with **Warlock** ransomware operations (even when ransomware was not yet deployed).
Mar 21, 2026