Microsoft links Medusa ransomware affiliate to zero-day attacks

Microsoft has identified Storm-1175, a China-based financially motivated cybercriminal group, as a rapid-moving affiliate of the Medusa ransomware operation that exploits both n-day and zero-day vulnerabilities within days of discovery. The threat actor has demonstrated remarkable operational speed, moving from initial access to data exfiltration and ransomware deployment in as little as 24 hours, with recent intrusions heavily impacting healthcare organizations and those in education, professional services, and finance sectors across Australia, the United Kingdom, and the United States.

Rapid exploitation timeline

Storm-1175 has developed a reputation for weaponizing security vulnerabilities with exceptional speed. Microsoft reports that the group has been observed exploiting some vulnerabilities within a day of discovery and, in certain cases, taking advantage of flaws a full week before official patches are released. This aggressive timeline allows the group to maximize their window of opportunity before defenders can implement mitigations.

The group's high operational tempo is particularly concerning given their proficiency in identifying exposed perimeter assets. Their success rate has been notable, with Microsoft observing that their rapid exploitation techniques have proven effective across multiple critical sectors. The combination of speed and precision has made Storm-1175 a formidable threat actor in the ransomware ecosystem.

Multi-exploit attack chains

Microsoft has documented Storm-1175's sophisticated approach to maintaining persistence on compromised systems. The group doesn't rely on single vulnerabilities but instead chains multiple exploits together to establish and maintain their foothold. Once inside a network, they employ a comprehensive toolkit of post-exploitation techniques:

• Creating new user accounts to ensure continued access
• Deploying remote monitoring and management software for ongoing control
• Stealing credentials to expand their reach within the network
• Disabling security software to avoid detection
• Finally dropping Medusa ransomware payloads to encrypt systems

This methodical approach demonstrates the group's evolution from simple exploit-and-ransom operations to more complex, multi-stage attacks that maximize their chances of success and profitability.

Notable zero-day exploits

In October 2025, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks for over one week before it was patched. This represents a significant security failure, as the group was able to exploit a critical vulnerability in a widely-used managed file transfer solution before defenders could respond.

Another significant zero-day exploit involved CVE-2026-23760, an authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool. Microsoft noted that while these recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, certain factors may have facilitated their success. The GoAnywhere MFT product had previously been targeted by ransomware attackers, and the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw. These factors may have helped Storm-1175 exploit these vulnerabilities more quickly than would otherwise be possible.

Extensive vulnerability portfolio

Microsoft's analysis reveals that Storm-1175 has exploited more than 16 vulnerabilities across 10 different software products in recent campaigns. This extensive targeting strategy demonstrates the group's broad knowledge of enterprise software and their ability to quickly adapt to new security flaws as they emerge.

Their exploitation targets have included:

• Microsoft Exchange (CVE-2023-21529)
• Papercut (CVE-2023-27351 and CVE-2023-27350)
• Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887)
• ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708)
• JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199)
• SimpleHelp (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728)
• CrushFTP (CVE-2025-31161)
• SmarterMail (CVE-2025-52691)
• BeyondTrust (CVE-2026-1731)

This diverse targeting strategy allows the group to maintain pressure on defenders across multiple attack surfaces simultaneously, making it difficult for organizations to prioritize their patching efforts effectively.

Broader ransomware ecosystem connections

Microsoft's research has revealed connections between Storm-1175 and other major ransomware operations. In July 2024, the company linked Storm-1175 along with three other cybercrime gangs to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw. This suggests that Storm-1175 may be part of a larger network of ransomware affiliates who share resources, techniques, and possibly infrastructure.

The Medusa ransomware operation itself has been the subject of significant law enforcement attention. In March 2025, CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), warning that Medusa ransomware attacks had impacted over 300 critical infrastructure organizations across the United States. This scale of impact demonstrates the significant threat posed by groups like Storm-1175 and their ransomware affiliates.

Implications for defenders

The emergence of Storm-1175 as a rapid-moving, zero-day exploiting affiliate of Medusa ransomware represents a significant escalation in the ransomware threat landscape. Organizations across critical sectors must now contend with threat actors who can move from vulnerability discovery to full system compromise in a matter of hours or days.

Microsoft's findings suggest several key defensive priorities:

1. Accelerated patch management - Organizations need to implement patches within hours, not days, when critical vulnerabilities are disclosed
2. Enhanced monitoring - Continuous monitoring for signs of exploitation, particularly of newly disclosed vulnerabilities
3. Network segmentation - Limiting the lateral movement capabilities of threat actors who do gain initial access
4. Backup strategies - Maintaining offline backups that cannot be encrypted by ransomware payloads
5. Security awareness - Training staff to recognize and report potential indicators of compromise quickly

As ransomware groups continue to evolve their tactics and develop faster exploitation capabilities, the window for effective defense continues to shrink. Organizations that fail to adapt to this new reality of rapid exploitation face an increasingly high risk of compromise and significant operational disruption.