Key Takeaways

  • Microsoft reports that Storm-1175 is exploiting zero-day and n-day vulnerabilities at high speed
  • Healthcare, education, professional services, and finance organizations have been heavily impacted
  • The group has weaponized more than 16 vulnerabilities across 10 major software products in recent campaigns

It is not every day that a financially motivated threat actor manages to move faster than the vendors trying to secure their products. Yet that is precisely what Microsoft says Storm-1175 has been doing. The China-based cybercriminal group, closely associated with Medusa ransomware deployments, has been leaning on a mix of zero-day and n-day exploits in short, aggressive attack cycles.

Storm-1175's behavior reflects a larger trend in cybercrime, where speed increasingly trumps stealth. Microsoft describes the group as shifting rapidly to newly disclosed vulnerabilities, sometimes weaponizing them within a single day. In a few cases, they were even seen exploiting certain flaws up to a week before patches became publicly available. That raises a question many security teams still struggle with: how do you defend against attackers who move faster than your patching process?

High velocity is only one part of the story. Storm-1175 tends to progress from initial access to data exfiltration and full Medusa ransomware deployment in a few days, and sometimes within 24 hours. According to Microsoft, this pace, combined with their knack for identifying exposed perimeter systems, has allowed them to inflict considerable damage across healthcare, education, professional services, and finance sectors in Australia, the United Kingdom, and the United States.

In practice, Storm-1175 does not rely on single exploits. Instead, operators chain vulnerabilities to maintain persistence. They have been observed creating new user accounts, installing remote monitoring and management tools, stealing credentials, and disabling security software before dropping Medusa ransomware payloads. The sequence may not be new to incident responders, but the tempo certainly is.

Last October, Microsoft reported that Storm-1175 had been actively exploiting a maximum severity GoAnywhere MFT vulnerability identified as CVE-2025-10035. This exploitation occurred for more than a week before a fix was issued. The group also took advantage of CVE-2026-23760, an authentication bypass in SmarterTools' SmarterMail platform, as a zero-day. Microsoft noted that both vulnerabilities shared similarities with earlier public flaws, suggesting that the attackers may be relying on prior knowledge or access to exploit brokers. External advisories from SmarterTools and disclosures by Fortra, the vendor behind GoAnywhere MFT, help confirm the broader pattern of interest attackers have shown in targeting these products.

Recent campaigns show that Storm-1175 has widened its target surface. More than 16 vulnerabilities across 10 different software products have been leveraged, a mix that includes Microsoft Exchange's CVE-2023-21529, several Papercut flaws, Ivanti Connect Secure and Policy Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887), and issues in ConnectWise ScreenConnect. JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust software have also appeared on the group's exploit list.

What stands out is that many of these products are used in environments where uptime is critical and patching cycles tend to be slower. That dynamic creates an attractive landscape for actors like Storm-1175 who excel at spotting gaps in exposed perimeter systems.

The security community, of course, has not been entirely caught off guard. CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center warning that the broader Medusa ransomware gang had impacted critical infrastructure organizations across the United States. Furthermore, in July 2024, Microsoft linked Storm-1175 and three other cybercrime groups to Black Basta and Akira ransomware attacks that hinged on an authentication bypass flaw in VMware ESXi.

Still, the challenge persists. Organizations that operate across multiple software ecosystems find themselves trying to juggle patching, detection, and response while adversaries shorten their timelines. It is a mismatch that will likely only intensify, especially as exploit developers and brokers evolve their operations. Storm-1175's activity underscores how quickly financially motivated actors can adopt new vulnerabilities, even when those vulnerabilities resemble earlier known weaknesses.

For security leaders, the takeaway is not just about staying current with patches. It is about assuming that adversaries like Storm-1175 can and will identify exposed assets before defenders do. Improved asset visibility, tighter configuration baselines, and rapid detection play a role, but so does planning for the unexpected. Because if this campaign illustrates anything, it is that attackers are no longer waiting for defenders to catch up. They are simply moving first.