**Microsoft** has issued an alert regarding **Storm-1175**, a Chinese cybercrime group actively exploiting both known and zero-day vulnerabilities to deploy **Medusa** ransomware in high-velocity attacks. ### Rapid Exploitation of Vulnerabilities This cybercrime gang demonstrates a remarkable ability to quickly adapt and target new security vulnerabilities, gaining access to victim networks with alarming speed. In some instances, they have weaponized exploits within a single day and exploited vulnerabilities a week before patches were made available. "Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours," **Microsoft** stated in a recent security blog post.  Their operational tempo and proficiency in identifying exposed perimeter assets have proven successful. Recent intrusions have heavily impacted healthcare, education, professional services, and finance sectors across Australia, the United Kingdom, and the United States. ### Attack Chain and Persistence **Microsoft** has observed **Storm-1175** operators chaining multiple exploits to establish persistence on compromised systems. This includes creating new user accounts, deploying remote monitoring and management (RMM) software, stealing credentials, and disabling security software before deploying ransomware payloads.  *Storm-1175 attack chain (Microsoft)* ### Notable Exploits In October, **Microsoft** reported that **Storm-1175** had been exploiting a critical **GoAnywhere** MFT vulnerability (**CVE-2025-10035**) in **Medusa** ransomware attacks for over a week before a patch was released. Another notable zero-day exploit used by **Storm-1175** was **CVE-2026-23760**, an authentication bypass in **SmarterTools' SmarterMail** email server and collaboration tool. **Microsoft** noted that while the group's recent attacks demonstrate an evolved development capability, previous targeting of **GoAnywhere** MFT by ransomware attackers and similarities between the **SmarterMail** vulnerability and a previously disclosed flaw may have facilitated the zero-day exploitation activity. ### Wide Range of Targeted Vulnerabilities In recent campaigns, **Storm-1175** has exploited more than 16 vulnerabilities across 10 software products, including: * **Microsoft Exchange** (**CVE-2023-21529**) * **Papercut** (**CVE-2023-27351** and **CVE-2023-27350**) * **Ivanti Connect Secure** and **Policy Secure** (**CVE-2023-46805** and **CVE-2024-21887**) * **ConnectWise ScreenConnect** (**CVE-2024-1709** and **CVE-2024-1708**) * **JetBrains TeamCity** (**CVE-2024-27198** and **CVE-2024-27199**) * **SimpleHelp** (**CVE-2024-57726**, **CVE-2024-57727**, and **CVE-2024-57728**) * **CrushFTP** (**CVE‑2025‑31161**) * **SmarterMail** (**CVE-2025-52691**) * **BeyondTrust** (**CVE-2026-1731**) ### Previous Warnings and Connections In March 2025, **CISA**, the **FBI**, and the **MS-ISAC** issued a joint advisory, warning that **Medusa** ransomware attacks had impacted over 300 critical infrastructure organizations across the United States. In July 2024, **Microsoft** linked **Storm-1175**, along with three other cybercrime gangs, to **Black Basta** and **Akira** ransomware attacks that exploited a **VMware ESXi** authentication-bypass flaw.