Microsoft Threat Intelligence published a detailed report on April 6 attributing high-velocity Medusa ransomware operations to Storm-1175, a China-based financially motivated threat actor. The group’s defining characteristic is speed: from initial access to full ransomware deployment in under 24 hours, leveraging zero-day exploits against internet-facing infrastructure.

What Happened

Storm-1175 has been operating as a primary affiliate for the Medusa ransomware-as-a-service (RaaS) operation. Microsoft’s report details a pattern of exploiting freshly disclosed and pre-disclosure vulnerabilities in web-facing applications to gain initial footholds, then racing through the kill chain before defenders can respond.

The group has weaponized at least three zero-day vulnerabilities:

  • CVE-2026-23760 — An authentication bypass in SmarterTools SmarterMail (versions prior to build 9511). The force-reset-password API endpoint accepts anonymous requests and fails to verify existing passwords or reset tokens when resetting system administrator accounts. Storm-1175 exploited this a week before public disclosure.

  • CVE-2025-10035 — A critical (CVSS 10.0) deserialization vulnerability in Fortra GoAnywhere MFT’s License Servlet (versions ≤ 7.8.3). Allows RCE via crafted license response signatures. Exploited by Storm-1175 starting September 11, 2025 — a week before Fortra’s advisory.

  • CVE-2025-31324 — An SAP NetWeaver vulnerability weaponized within one day of public disclosure in April 2025.

Attack Chain

The playbook is consistent across campaigns:

Initial Access: Exploit a zero-day or freshly patched vulnerability in an internet-facing application — mail servers, file transfer platforms, or ERP systems.

Persistence & Lateral Movement: Upon gaining a foothold, Storm-1175 deploys remote monitoring and management (RMM) tools like SimpleHelp and MeshAgent. They use living-off-the-land binaries (LOLBins) — PowerShell, PsExec — alongside Impacket for lateral movement. PDQ Deployer is used for both lateral movement and payload delivery across the network.

Defense Evasion: The group escalates to local admin and sets antivirus exclusions to blind endpoint security solutions.

Exfiltration: Data is staged and exfiltrated using Rclone before encryption begins.

Ransomware Deployment: In mature environments, Storm-1175 hijacks Active Directory to push Medusa ransomware via Group Policy to every domain-joined machine simultaneously.

Who’s Affected

Storm-1175’s targeting is broad but weighted toward healthcare, education, professional services, and financial organizations across the United States, United Kingdom, and Australia. Any organization running internet-facing SmarterMail, GoAnywhere MFT, or SAP NetWeaver instances should treat this as an active threat.

CISA and the FBI previously issued a joint advisory (AA25-071A) in March 2025 warning that Medusa had already impacted over 300 critical infrastructure organizations in the U.S.

What To Do Right Now

Patch immediately:

  • SmarterMail: Upgrade to build 9511 or later to close CVE-2026-23760
  • GoAnywhere MFT: Upgrade to version 7.8.4 (or Sustain Release 7.6.3) for CVE-2025-10035
  • SAP NetWeaver: Apply the April 2025 patches for CVE-2025-31324

Hunt for post-compromise indicators:

  • Look for SimpleHelp, MeshAgent, or unexpected RMM tools in your environment
  • Check for new antivirus exclusions set via local admin
  • Audit Group Policy changes, especially any deploying new executables
  • Monitor for Rclone or similar sync tools exfiltrating data

Reduce attack surface:

  • Restrict internet exposure of mail servers and file transfer platforms
  • Enforce MFA on all administrative interfaces
  • Segment networks to slow lateral movement — Storm-1175’s speed advantage collapses if they can’t reach AD within hours

Monitor Microsoft’s threat intelligence feeds for updated IOCs. The full report is available on the Microsoft Security Blog.