Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Microsoft Warns of Critical Medusa Ransomware Attacks Exploiting 0-Day Flaws
Threats

Microsoft Warns of Critical Medusa Ransomware Attacks Exploiting 0-Day Flaws

Key Takeaways A sophisticated threat actor, Storm-1175, is deploying Medusa ransomware in high-speed campaigns. The group rapidly exploits “N-day” vulnerabilities and has demonstrated...

Marcus Rodriguez
Marcus Rodriguez
April 7, 2026 3 Min Read
37 0

Key Takeaways

  • A sophisticated threat actor, Storm-1175, is deploying Medusa ransomware in high-speed campaigns.
  • The group rapidly exploits “N-day” vulnerabilities and has demonstrated zero-day capabilities, impacting critical internet-facing applications like file transfer tools and mail servers.
  • Attacks are characterized by rapid compromise, often within 24 hours, followed by double extortion tactics.
  • Microsoft Threat Intelligence has tracked Storm-1175 since 2023, observing its exploitation of over 16 known vulnerabilities.

Microsoft Warns of High-Speed Medusa Ransomware Attacks by Storm-1175

Organizations are confronting a severe and rapidly evolving threat from a ransomware campaign spearheaded by the advanced persistent threat group, Storm-1175. According to a recent advisory from Microsoft Threat Intelligence, this group is distinguished by its extreme operational tempo, capable of compromising and encrypting an entire network in as little as 24 hours from initial breach.

Table Of Content

  • Key Takeaways
  • Microsoft Warns of High-Speed Medusa Ransomware Attacks by Storm-1175
  • Storm-1175’s Post-Compromise Tactics
  • What You Should Do

Storm-1175’s primary modus operandi revolves around exploiting “N-day” vulnerabilities—publicly disclosed software flaws that remain unpatched in many systems. The group aggressively scans for internet-exposed applications, including file transfer utilities and mail servers, that are still running vulnerable software versions. Even a brief window of exposure, sometimes just a few days, is sufficient for these attackers to gain initial access.

Microsoft’s analysts have been monitoring Storm-1175 since 2023, attributing over 16 known vulnerability exploits across various enterprise platforms to the group. Beyond N-day exploitation, Storm-1175 has also demonstrated the capability to leverage zero-day flaws—vulnerabilities unknown to the public or vendor at the time of exploitation. Notable instances include the exploitation of CVE-2026-23760, a SmarterMail flaw, a full week prior to its public disclosure, and CVE-2025-10035 in Fortra’s GoAnywhere Managed File Transfer, which was exploited a week before its official announcement.

The ransomware deployed by Storm-1175 is Medusa, which operates as a Ransomware-as-a-Service (RaaS) platform. This model allows developers to lease their tools and infrastructure to affiliate groups such as Storm-1175. Medusa employs a double extortion strategy: victims’ data is both encrypted and exfiltrated, with attackers threatening public release if the ransom demand is not met. This tactic significantly increases pressure on victim organizations, creating both immediate operational disruption and long-term data exposure risks. Industries heavily reliant on internet-facing platforms are particularly susceptible to Storm-1175’s campaigns.

Storm-1175 attack chain (Source - Microsoft)
Storm-1175 attack chain (Source – Microsoft)

Storm-1175’s Post-Compromise Tactics

Once Storm-1175 breaches a target environment, the group follows a meticulously planned sequence of actions. Initial access is typically followed by the deployment of a web shell or a remote access payload. This persistent backdoor ensures continued access to the compromised system, even if the original entry point is patched. The creation of new user accounts early in the attack chain provides an additional, redundant access path into the network.

Subsequently, Storm-1175 employs legitimate remote monitoring and management (RMM) tools to blend their activities with normal IT traffic, facilitating lateral movement across internal systems without triggering immediate security alerts. To further evade detection, the group manipulates Microsoft Defender Antivirus settings within the Windows registry, a step requiring elevated privileges. Attackers also utilize encoded PowerShell commands to add entire drives to antivirus exclusion lists, effectively disabling security software from scanning critical areas. Concurrently, credential theft operations target high-privilege accounts necessary for widespread ransomware deployment.

For the final stage of the operation, Storm-1175 leverages Bandizip to package exfiltrated files and Rclone to transfer this data to attacker-controlled cloud storage. PDQ Deployer is then used to execute a script named RunFileCopy.cmd, which pushes Medusa ransomware payloads to all accessible machines. In some scenarios, the group exploits elevated privileges to force a Group Policy update, allowing for simultaneous ransomware deployment across every system within the domain.

What You Should Do

  • Patch Immediately: Prioritize patching all internet-facing systems without delay. For vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalog, patching within 72 hours is critical.
  • Monitor for Early Indicators: Implement robust monitoring for alerts related to credential theft, unauthorized registry modifications, and the creation of new user accounts, as these are strong indicators of active intrusion.
  • Restrict RMM Tools: Limit the use of remote monitoring and management tools to only approved applications and enforce strict access controls.
  • Enforce Multi-Factor Authentication (MFA): Implement MFA for all privileged accounts and critical systems to prevent unauthorized access even if credentials are stolen.
  • Audit Antivirus Exclusions: Regularly audit antivirus exclusion paths to detect and rectify any unauthorized modifications that attackers might use to bypass security software.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityThreatVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical OpenAI Codex Bug Exposed GitHub User Tokens

Next Post

Critical Ninja Forms RCE Vulnerability Exposes 50,000 WordPress Sites

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us