A prolific cybercrime group has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks, according to Microsoft. Storm-1175 is a financially motivated actor that usually exploits the window between vulnerability disclosure and patch adoption, Microsoft said in a blog post on April 6.
“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organisations, as well as those in the education, professional services, and finance sectors in Australia, the UK and US,” it said. The group has exploited at least 16 vulnerabilities since 2023, including three zero-day flaws such as CVE-2025-10035 in GoAnywhere MFT, exploited one week before public disclosure last year.
Microsoft outlined typical TTPs, from dropping a web shell and establishing persistence to using LOLBins, Cloudflare tunnels and PDQ Deployer for lateral movement. It also recommended mitigations, including perimeter hardening, VPN-only access for web-facing systems, and enabling MFA and tamper protection, among other steps.