Rapid Deployment: China-Linked Storm-1175 Exploits Zero-Days with Medusa Ransomware

The Rise of Storm-1175: A Menace in Cyberspace

An infamous China-based threat actor, Storm-1175, has been wreaking havoc in cyberspace by deploying the notorious Medusa ransomware. This cybercriminal group has gained notoriety for its use of a combination of zero-day and N-day vulnerabilities to execute rapid and high-impact attacks on vulnerable internet-facing systems.

According to the Microsoft Threat Intelligence team, Storm-1175’s relentless pace and adeptness at identifying exposed assets have resulted in significant breaches across various sectors, including healthcare, education, professional services, and finance, in countries like Australia, the United Kingdom, and the United States.

Storm-1175’s modus operandi involves leveraging zero-day exploits, sometimes even before their public disclosure, as well as recently revealed vulnerabilities to infiltrate target systems. The threat actor is known to string together multiple exploits for post-compromise activities, such as deploying the Medusa ransomware swiftly after gaining access.

Upon infiltrating a network, Storm-1175 swiftly exfiltrates data and unleashes the Medusa ransomware within a remarkably short timeframe, often within 24 hours. To facilitate their malicious activities, the group establishes persistence by creating new user accounts, deploying web shells, conducting credential theft, and evading security solutions before deploying the ransomware.

Since 2023, Storm-1175 has exploited over 16 vulnerabilities to carry out its nefarious activities.

Storm-1175 has exploited zero-day vulnerabilities like CVE-2025-10035 and CVE-2026-23760 before their public disclosure. The group has recently focused on targeting Linux systems, including vulnerable Oracle WebLogic instances, across multiple organizations. The specific vulnerability exploited in these attacks remains undisclosed.

Microsoft notes that Storm-1175 capitalizes on the window between vulnerability disclosure and patch implementation, exploiting organizations with unprotected systems. The group employs various tactics, including the use of living-off-the-land binaries, deployment of Medusa ransomware via PDQ Deployer, and credential dumping using tools like Impacket and Mimikatz.

• Utilizing living-off-the-land binaries for lateral movement.
• Employing PDQ Deployer for payload delivery.
• Modifying Windows Firewall policies for malicious payload delivery.
• Conducting credential dumping using Impacket and Mimikatz.
• Configuring Microsoft Defender Antivirus exclusions to evade detection.
• Using Bandizip and Rclone for data collection and exfiltration.

Of particular concern is the dual-use nature of remote monitoring and management (RMM) tools like AnyDesk and ConnectWise ScreenConnect, which enable threat actors to mask malicious activities within trusted platforms, enhancing stealth and reducing detection risks.