Image source: Antony McAulay, Shutterstock
The threat actor is exploiting more than 17 flaws in high-velocity campaigns to distribute Medusa ransomware, according to Microsoft.
A financially motivated threat actor whom Microsoft is tracking as Storm-1175 appears to have fine-tuned exploitation of unpatched Internet-facing systems into a fast, repeatable process, in some cases moving from initial access to full ransomware deployment in less than a single business day.
High Velocity Attacks
In an advisory this week Microsoft warned of the group exploiting new vulnerabilities in the window between initial disclosure and mass patch adoption to distribute the Medusa ransomware strain. The high velocity campaigns have impacted organizations in healthcare, finance, professional services and education sectors across the US, UK and Australia. In several instances, Storm-1175 has also abused zero-day vulnerabilities for at least a week before bug disclosure.
“Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment,” Microsoft warned.
Here’s what to do:
- Patch the vulnerabilities that Storm-1175 is targeting.
- Limit local admin privileges: Avoid shared local administrator passwords and restrict who can modify critical settings to reduce lateral movement and credential theft risks
- Monitor for suspicious activity in legitimate tools: Keep an eye on remote management and deployment tools (Atera, ConnectWise ScreenConnect, AnyDesk, PDQ Deployer, etc.) to spot misuse or abnormal behavior.)
- Segment networks: Restrict lateral movement from initial infected devices and other devices in the same organization (CISA recommendation)
- Filter network traffic: Prevent unknown or untrusted origins from accessing remote services on internal systems. (CISA recommendation)
- Enable security protections: Turn on tamper protection for antivirus software, enforce the DisableLocalAdminMerge setting, and monitor LSASS access to prevent credential dumping.
- Control network access and RDP usage: Restrict firewall and remote desktop changes, monitor unusual lateral movement, and segment networks to contain potential breaches quickly.
- Use the IoCs that Microsoft has provided to check for signs of Storm-1175 activity
The Vulnerabilities that Storm-1175 is Exploiting
Organizations that want to mitigate their exposure to Storm-1175 attacks might first want to pay attention to the set of following vulnerabilities that the threat actor has consistently exploited in attacks since 2023. In some cases, the group has chained multiple of these vulnerabilities to support post-compromise goals.
Storm-1175’s list of go-to vulnerabilities and therefore the ones needing immediate attention are:
CVE-2023-21529 (Microsoft Exchange)
CVE-2023-27351 and CVE-2023-27350 (Papercut)
CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
CVE‑2025‑31161 (CrushFTP)
CVE-2025-10035 (GoAnywhere MFT)
CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
CVE-2026-1731 (BeyondTrust)
Storm-1175, according to Microsoft, has needed as little as one day following vulnerability disclosure to develop an exploit for it. One case in point CVE-2025-31324 in SAP NetWeaver. Microsoft said it spotted Storm-1175 exploiting the flaw one day after SAP disclosed it on April 24, 2025
Vulnerabilities that the threat actor has chained in its attacks include two that affected Microsoft Exchange Servers: CVE‑2022‑41080 for initial access and subsequently CVE‑2022‑41082 for remote code execution.
Microsoft also identified two of the three zero-days that its researchers have observed Storm-1175 using in its recent attacks: CVE-2026-23760 in SmarterMail and CVE-2025-10035 that afected GoAnywhere Managed File Transfer. The threat actor exploited both these vulnerabilities for at least one week prior to vulnerability disclosure demonstrating they are a well-resourced and high-sophisticated group.
Once inside a network, Storm-1175 wastes little time locking in its access before security teams can react. The group’s first move is to try and establish persistence, typically by creating a new admin-level account on the compromised machine. The threat actor then quickly starts exploring the network and moving to other systems using built-in Windows tools like PowerShell and PsExec, along with Cloudflare tunnels disguised as normal system files and Remote Desktop Protocol. If RDP is blocked, they simply change the firewall rules using their new admin privileges to turn it back on.
Leveraging Legitimate Tools
What makes this movement especially hard to spot is that the group relies heavily on tools that look like normal IT activity. Microsoft listed eight different remote management tools that Storm-1175 has been using to maintain access, run commands and scripts, install malware and access machines remotely post-compromise.
Organizations using any of the following tools should closely monitor their use to separate normal activity from malicious activity: Atera RMM, Level RMM, N-able, DWAgent, MeshAgent, ConnectWise ScreenConnect and AnyDesk Storm-1175 has also been using PDQ Deployer, which IT admins use to remote install software and run updates to quietly push malware, including ransomware, across the network.
Storm-1175 is using tools like Impacket and Mimikatz, along with built-in Windows features, to for lateral movement and credential theft. The Impacket Python toolkit enables both lateral movement and dumping credentials from LSASS memory, while Mimikatz and registry tweaks like enabling WDigest credential caching let the attacker capture additional passwords. A
After gaining administrator privileges, the group has also targeted backup software like Veeam to harvest credentials, which it then uses to expand access to connected systems, including Domain Controllers and Active Directory databases.
Once Storm-1175 has obtained high-level access, it actively tampers with security defenses to ensure ransomware deployment succeeds. The group modifies Microsoft Defender Antivirus settings, adds drives to exclusion lists, and uses encoded PowerShell commands to bypass scans, all of which require privileged account access.
Defenders can counter these moves by monitoring for credential theft, limiting local administrator rights, avoiding shared passwords, and enabling protections like tamper protection and the DisableLocalAdminMerge setting to block unauthorized antivirus changes.