A China-based threat actor linked to Medusa ransomware has been tied to weaponising a mix of zero-day and N-day vulnerabilities to run high-velocity attacks on internet-facing assets. According to Microsoft Threat Intelligence, the group’s rapid tempo and skill at identifying exposed perimeter assets have yielded intrusions that heavily affect healthcare, education, professional services, and finance organisations in Australia, the United Kingdom, and the United States.
Storm-1175 attacks have leveraged zero-days, sometimes before public disclosure, and have chained multiple exploits for post‑compromise activity, with entry often followed by swift data exfiltration and Medusa deployment within days or even within 24 hours in some incidents.
The actor reportedly creates persistence by adding new user accounts, deploying web shells or legitimate remote‑monitoring software for lateral movement, and then deploying ransomware while also attempting to bypass security solutions, including making Defender exclusions. Since 2023, Storm-1175 has been linked to more than 16 vulnerabilities, including CVE-2023-21529 (Microsoft Exchange Server) and CVE-2026-1731 (BeyondTrust), among others.