STORM- 1175, the financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence, operates high-velocity ransomware campaigns that weaponise recently disclosed vulnerabilities to gain initial access and move rapidly from exploitation to data exfiltration and Medusa ransomware deployment.
According to Microsoft Threat Intelligence, the group has leveraged more than 16 vulnerabilities since 2023, including CVEs such as CVE-2023-27351 and CVE-2023-46805, and has demonstrated the ability to weaponise disclosed flaws within days or even before public disclosure.
The campaigns frequently target web‑facing assets and perimeter-facing systems, with recent intrusions heavily impacting healthcare, education, professional services and finance organisations in Australia, the United Kingdom and the United States. In addition to zero-days, Storm-1175 has used N-day vulnerabilities, chained multiple exploits, and relied on tools like RMMs, PDQ Deployer and Impacket to enable post‑compromise activity, lateral movement and ransomware delivery.
The operators also engage in data exfiltration and double extortion, using Bandizip and Rclone to theft and transfer data to attacker-controlled cloud resources before deploying Medusa across networks. Defenders are urged to implement perimeters and prevention measures, including Defender XDR attack surface disruption and tamper protections, to disrupt the threat and limit lateral movement.