Storm-1175 Rapidly Exploits Web-Facing Flaws to Deploy Medusa Ransomware
Microsoft said threat actor Storm-1175 is running high-tempo intrusions that exploit newly disclosed and, in some cases, previously unknown vulnerabilities in internet-facing systems to steal data and deploy Medusa ransomware within days or even 24 hours. The financially motivated group has heavily impacted healthcare organizations and also targeted education, professional services, and finance in Australia, the United Kingdom, and the United States. Since 2023, the actor has exploited more than 16 flaws across products including Microsoft Exchange, PaperCut, Ivanti, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, SAP NetWeaver, and BeyondTrust, with Microsoft also observing zero-day use against SmarterMail and GoAnywhere before public disclosure.
After gaining access, Storm-1175 establishes persistence with new administrator accounts, web shells, and remote management tools, then moves laterally using LOLBins, Impacket, PDQ Deployer, and Cloudflare tunnels while stealing credentials from LSASS, NTDS.dit, SAM, and backup systems. Microsoft said the actor tampers with Microsoft Defender settings to reduce detection, uses Bandizip and Rclone for collection and exfiltration, and deploys Medusa through PDQ Deployer or Group Policy; the group has also shown interest in Linux targets such as vulnerable Oracle WebLogic servers. Microsoft urged organizations to reduce exposure of web-facing assets, patch quickly, enforce MFA on approved RMM tools, restrict local administrator rights, and enable protections such as Credential Guard, tamper protection, and Defender XDR attack disruption features.
Timeline
Apr 6, 2026
Microsoft publishes technical analysis and mitigations on Storm-1175
Microsoft Threat Intelligence publicly profiled Storm-1175 as a financially motivated actor associated with Medusa ransomware and detailed its exploitation, persistence, credential theft, lateral movement, exfiltration, and defense-evasion techniques. The company also issued mitigation guidance focused on reducing exposure of web-facing assets and hardening defenses such as Credential Guard, tamper protection, MFA, and Defender XDR protections.
Jan 1, 2023
Storm-1175 heavily impacts healthcare and other sectors in three countries
Across its campaigns, Storm-1175 significantly affected healthcare organizations and also targeted education, professional services, and finance entities in Australia, the United Kingdom, and the United States. Microsoft said the actor maintained a high operational tempo across these sectors.
Jan 1, 2023
Storm-1175 uses zero-days in SmarterMail and GoAnywhere before disclosure
Microsoft observed Storm-1175 exploiting zero-day vulnerabilities in SmarterMail and GoAnywhere MFT before those flaws were publicly disclosed. This showed the actor was not limited to patch-gap exploitation and could also leverage previously unknown vulnerabilities.
Jan 1, 2023
Storm-1175 begins exploiting vulnerable internet-facing systems
Since 2023, Microsoft observed Storm-1175 conducting high-tempo intrusions by rapidly weaponizing newly disclosed N-day vulnerabilities in web-facing products such as Exchange, PaperCut, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, SAP NetWeaver, and BeyondTrust. The actor often moved from exploitation to credential theft, data exfiltration, and Medusa ransomware deployment within days or as little as 24 hours.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
1 more from sources like microsoft security blog
Related Stories
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
1 months ago
DragonForce and Medusa Ransomware Exploitation of SimpleHelp RMM Vulnerabilities
Two major Ransomware-as-a-Service (RaaS) groups, Medusa and DragonForce, have been identified exploiting critical vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform to gain SYSTEM-level access across managed service provider (MSP) environments. The attackers leveraged three specific flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to compromise RMM servers, pivot into downstream customer networks, and deploy ransomware payloads. Medusa operators used legitimate IT management tools like PDQ Inventory and PDQ Deploy to distribute ransomware, disable Microsoft Defender, and exfiltrate sensitive data using RClone, while DragonForce was also observed exploiting these flaws for similar access and impact. The attacks resulted in widespread file encryption, ransom notes, and double-extortion tactics, with stolen data posted on dark web leak sites and promoted via Telegram. The campaigns highlight the significant risk posed by unpatched RMM platforms in the IT supply chain, as attackers can rapidly escalate privileges and impact multiple organizations through a single compromised MSP. Security researchers emphasize the need for immediate patching of SimpleHelp RMM vulnerabilities and enhanced monitoring of MSP environments to mitigate further exploitation by ransomware groups.
1 months ago
Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
**Ransomware activity is increasingly blending into normal IT operations** by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the **Crazy** ransomware gang where attackers deployed *Net Monitor for Employees Professional* and the *SimpleHelp* remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via `msiexec.exe` directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., `vshost.exe`) and paths such as `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`. In parallel, ransomware groups have been observed **actively exploiting recently patched SmarterTools SmarterMail vulnerabilities** that enable unauthenticated compromise of mail servers. SC Media reported that CISA added **CVE-2026-24423** to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s `ConnectToHub` API by delivering a malicious OS command from a remote server. A second issue, **CVE-2026-23760**, allows authentication bypass through the password reset API (`force-reset-password`) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as **Storm-2603**, which reportedly chained the bypass with SmarterMail’s *Volume Mount* feature to reach RCE, activity assessed as staging consistent with **Warlock** ransomware operations (even when ransomware was not yet deployed).
1 months ago