The **Microsoft** Threat Intelligence team reports that **Storm-1175** has been observed leveraging zero-day exploits, even before public disclosure, alongside recently patched vulnerabilities to gain initial access. In some instances, the threat actor chains multiple exploits, such as **OWASSRF**, for post-compromise activities. ### Rapid Data Exfiltration and Ransomware Deployment Upon gaining a foothold, the financially motivated cybercriminal actor swiftly exfiltrates data and deploys **Medusa** ransomware, often within days, and sometimes within just 24 hours. This rapid deployment highlights the urgency for organizations to patch vulnerabilities promptly. ### Persistence and Evasion Techniques To maintain persistence, the group creates new user accounts, deploys web shells, or utilizes legitimate remote monitoring and management (RMM) software for lateral movement. They also engage in credential theft and actively interfere with security solutions to avoid detection. ### Exploited Vulnerabilities Since 2023, **Storm-1175** has been linked to the exploitation of over 16 vulnerabilities, including: * **CVE-2023-21529** (Microsoft Exchange Server) * **CVE-2023-27351** and **CVE-2023-27350** (**Papercut**) * **CVE-2023-46805** and **CVE-2024-21887** (**Ivanti** Connect Secure and Policy Secure) * **CVE-2024-1708** and **CVE-2024-1709** (**ConnectWise** ScreenConnect) * **CVE-2024-27198** and **CVE-2024-27199** (**JetBrains** TeamCity) * **CVE-2024-57726**, **CVE-2024-57727**, and **CVE-2024-57728** (SimpleHelp) * **CVE-2025-31161** (CrushFTP) * **CVE-2025-10035** (Fortra GoAnywhere MFT) * **CVE-2025-52691** and **CVE-2026-23760** (SmarterTools SmarterMail) * **CVE-2026-1731** (BeyondTrust)  It's reported that both **CVE-2025-10035** and **CVE-2026-23760** were exploited as zero-days before public disclosure. The group has also shown a tendency to target Linux systems, including vulnerable **Oracle** WebLogic instances, though the specific vulnerability used remains unknown. ### Recommendations and Mitigation **Microsoft** emphasizes that **Storm-1175** rapidly rotates exploits between disclosure and patch availability, exploiting the window where many organizations remain unprotected. Key tactics observed include: * Utilizing living-off-the-land binaries (LOLBins) such as PowerShell and PsExec, along with Impacket for lateral movement. * Employing PDQ Deployer for lateral movement and payload delivery, including **Medusa** ransomware. * Modifying Windows Firewall policies to enable Remote Desktop Protocol (RDP) and deliver malicious payloads. * Performing credential dumping using Impacket and Mimikatz. * Configuring **Microsoft** Defender Antivirus exclusions to bypass detection. * Using Bandizip and Rclone for data collection and exfiltration. The increasing use of RMM tools like AnyDesk, Atera, MeshAgent, **ConnectWise** ScreenConnect, or SimpleHelp as dual-use infrastructure is a significant concern, as it allows threat actors to blend malicious traffic into trusted, encrypted platforms, reducing the likelihood of detection.