STORM- 1175 is described by Microsoft Threat Intelligence as a financially motivated group conducting “high velocity ransomware campaigns” that push rapid exploitation of known vulnerabilities, often delivering Medusa ransomware within days or even 24 hours. According to Microsoft Threat Intelligence, the group has exploited more than a dozen vulnerabilities, including CVE-2026-1731 in BeyondTrust Remote Support, with several zero-days also linked to Storm-1175.
The attackers’ fast playbook covers vulnerability exploitation, data exfiltration, and ransomware delivery, and they have heavily impacted sectors such as healthcare, education, professional services and finance across Australia, the United Kingdom and the United States. Storm-1175’s activity has included tampering with security tools to enable Medusa payloads, a technique highlighted by Microsoft and tied to credential dumping and the use of RMM software for lateral movement.
The piece also notes notable CVEs tied to these campaigns, such as CVE-2025-31161 in CrushFTP, CVE-2024-27198 in JetBrains TeamCity, CVE-2023-21529 in Microsoft Exchange, CVE-2026-23760 in SmarterMail, and CVE-2025-10035 in GoAnywhere MFT, with exploitation occurring prior to public disclosure in several cases.