08.04.2026
3 min
183
The Chinese hacking group Storm-1175 has become increasingly active, using both zero-day and known vulnerabilities to infiltrate systems and deploy the Medusa ransomware as quickly as possible. The attacks are so fast that sometimes the time from access to full infection is less than a day.
The Chinese group Storm-1175 who are responsible for the Medusa ransomware attacks, are currently working with all due haste, and with a great deal of confidence. They utilize both zero-day and previously identified vulnerabilities to enter into a system directly from the Internet with minimal setup. According to Microsoft Threat Intelligence, their entire approach is based around speed; they find an open service, get into it, establish a foothold within it. This has already resulted in many organizations across the USA, UK & Australia being affected (medical, education, financial and services), according to Microsoft’s Threat Intelligence Team.
In addition to getting into an organization’s systems in a relatively short time period (in some instances less than one day), they do not take their time when they gain access to a system. They get straight down to business. They work very “adult like”. First, they will enter a system via a vulnerability, often times one that has never been publicly released, then they can use multiple exploits simultaneously to gain entry and begin moving throughout the network. Once inside, they perform the typical actions, however, extremely rapidly: they create additional user accounts, set up remote access using existing/legitimate tools, gather usernames/passwords and slowly remove/disable or circumvent security protections. After gaining control over a system(s) they then deploy Medusa Ransomware and upload sensitive information.
Since 2023, Storm-1175 has been associated with the use of a large number of vulnerabilities in popular products. Among them:
Microsoft Exchange (CVE-2023-21529)
PaperCut (CVE-2023-27351, CVE-2023-27350)
Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
ConnectWise ScreenConnect (CVE-2024-1708, CVE-2024-1709)
JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199)
SimpleHelp (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728)
CrushFTP (CVE-2025-31161)
Fortra GoAnywhere (CVE-2025-10035)
SmarterMail (CVE-2025-52691, CVE-2026-23760)
BeyondTrust (CVE-2026-1731)
The thing to remember about a number of these vulnerabilities (for instance CVE-2025-10035 and CVE-2026-23760) is that they have been exploited by attackers prior to being formally identified. Thus these are in fact zero-day attacks.
There is also another aspect of how flexible it is. Microsoft has specifically stated that Storm-1175 can rapidly pick up on new exploits and will take advantage of the time between when the fix has been released and before the user has applied the fix. This is the period when most organizations would be vulnerable.
There is one other aspect of this which makes protecting against it harder. It is using common administrative utilities, including, for example, AnyDesk, Atera or ConnectWise. Because from the outside this appears to be routine system activity rather than an attack, detection of it is likely going to be significantly more difficult than initially thought.
