Microsoft reports that the China-based cybercrime group Storm-1175 is launching high-speed attacks using both known and zero-day vulnerabilities to deploy Medusa ransomware. This financially motivated actor targets various sectors across the globe by weaponizing security flaws often before patches are even available to the public.

Storm-1175 has distinguished itself through its remarkable speed and technical agility in the digital landscape. The group consistently shifts its focus to newly discovered security vulnerabilities, allowing them to infiltrate victim networks with minimal resistance. In several instances, they have successfully weaponized these flaws within twenty-four hours of discovery, sometimes exploiting them an entire week before a formal security patch is released by software vendors.

The operational tempo of this group allows them to move from an initial breach to the full exfiltration of sensitive data and ransomware deployment in a very short window. Microsoft has documented cases where the entire attack cycle is completed within a single day. Their ability to quickly identify and attack exposed perimeter assets makes them a particularly potent threat to organizations that cannot update their systems at a matching pace.

Recent campaigns by this threat actor have primarily focused on critical infrastructure and service-oriented sectors. Healthcare organizations have been hit particularly hard, along with institutions in education, finance, and professional services. These attacks have been geographically concentrated in Australia, the United Kingdom, and the United States, suggesting a strategic focus on high-value targets in these regions.

To ensure the success of their intrusions, Storm-1175 operators frequently chain multiple exploits together to solidify their presence on a compromised network. Once they gain entry, they work systematically to create new user accounts and install remote monitoring tools that allow for long-term access. These steps are often accompanied by the theft of legitimate credentials which helps them move laterally through a network undetected.

Before the final stage of an attack, the group takes deliberate steps to neutralize any existing defenses by disabling security software on the infected machines. This clearing of the path allows them to deploy the Medusa ransomware payload without interference. By the time an organization realizes its systems have been breached, the group has usually already secured the data and locked down the infrastructure for extortion purposes.

Source: https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/