Xcitium Logo

Storm-1175 and Medusa Ransomware: High-Speed Zero-Day Exploitation

Microsoft reveals that the Medusa ransomware affiliate group Storm-1175 uses a blitz of zero-day and n-day exploits in rapid attacks.

Stop Zero-Day Damage with Kernel Isolation
  • April 7, 2026

Lightning-Fast Ransomware Breaches

Storm-1175 is a Chinese cybercriminal group behind Medusa ransomware. The gang strikes with unprecedented speed, chaining exploits and breaching networks within hours or days. In fact, it often weaponizes a newly disclosed vulnerability within 24 hours of disclosure. These lightning-fast breaches have hit critical sectors around the world.

Recent intrusions heavily impacted healthcare, education, finance, and professional services in Australia, the UK, and the United States. In one case, a breach went from initial access to ransomware deployment in under 24 hours.

Exploiting Zero-Day and N-Day Vulnerabilities

The collection of exploits developed by Storm-1175 includes conventional “patchless” (n-day) vulnerabilities and genuine zero-day exploits. This includes a critical vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035), which Storm-1175 used prior to its patching to gain network access. The use of an undisclosed SmarterTools SmarterMail authentication bypass exploit (CVE-2026-23760) also indicates that the threat actor employs zero-day attacks.

However, the vast majority of attacks attributed to Storm-1175 make use of vulnerabilities disclosed relatively recently. From 2023 to date,

  • Microsoft Exchange: On-premise mail servers (Multiple CVEs).
  • Fortra GoAnywhere MFT: Managed file transfer server.
  • SmarterTools SmarterMail: Email/collaboration server.
  • JetBrains TeamCity: CI/CD server.
  • Remote management software: ConnectWise ScreenConnect, SimpleHelp, and other.

Each one of these vulnerabilities was utilized by the group to gain control over their victims very quickly sometimes even in a couple of days after being discovered publicly.

Xcitium Threat Labs
Storm-1175 Attack Chain
01
Exploitation
Initial access via N-day or 0-day exploit.
02
Persistence
  • Create new user in admin group
  • Create web shell or deliver RMM tool during exploitation
03
Discovery
Use of LOLbins to run discovery commands.
04
Lateral Movement
  • Cloudflare tunnels over RDP
  • Impacket, PsExec, & PDQ Deployer
05
Credential Access
Impacket, Mimikatz, and LSASS dumping.
06
Defense Evasion
  • AV tampering via PowerShell
  • Registry mods & account deletion
Exfiltration
Data collection using Bandizip, exfiltration via Rclone.
Final Impact
Medusa Ransomware
Distributed via PDQ Deployer or Group Policy update.

Rapid Attack Chains and Techniques

The Storm-1175 modus operandi moves through stages that are fast and sequential in nature. Typically, in an attack,

  • Initial Access: Compromise the target network using a vulnerable internet facing application (such as file sharing and email servers).
  • Persistence: Use web shell scripts or legit remote management tools (such as Simple Help, or Mesh Agent) for persistence.
  • Lateral Movement: Gain credentials and leverage legitimate tools (such as PowerShell, PsExec, or RDP) to traverse the network.
  • Data Exfiltration: Steal valuable data (usually cloud tunneling techniques or Rclone).
  • Payload Delivery: Disable any anti-virus or backup software in place, before unleashing the Medusa ransomware on the victim’s files.

Clearly, this pace reflects how sophisticated such attacks can be. Report says, a typical Storm-1175 attack completes all these stages within just 24 hours.

Medusa RaaS and Global Impact

Medusa functions as a Ransomware-as-a-Service (RaaS), where affiliates conduct the attacks. Globally, more than 300 critical infrastructure organizations (hospitals, utilities, governmental services) have fallen prey to the group since 2021.

U.S. officials reported that energy, water, health care, and other essential services are among those targeted by Medusa, numbering in the hundreds. The attack involves a “double extortion” technique, whereby the group obtains sensitive information and threatens to release it unless a ransom is paid.

  • Double Extortion: Victims’ information is encrypted and stolen, compelling them to pay money to prevent exposure.
  • Public Leak Sites: Names of victims are published on a website hosted on the Tor network, with stolen information and ransom demands.
  • High Ransom Payments: Affiliates reportedly receive up to $1 million per incident.
  • Geographic Spread: Sectors affected include health care, energy, finance, and education in the USA, UK, Australia, India, and elsewhere.

Conclusion: When Zero-Day Speed Meets Ransomware Scale

Storm-1175 shows how modern ransomware operations win, not through patience, but through velocity. This group chains zero-day and newly disclosed vulnerabilities into rapid attack paths, then moves from initial access to Medusa deployment in less than 24 hours. By the time many defenders begin triage, the attacker is already at persistence, credential theft, lateral movement, exfiltration, and final impact.

Why This Threat Matters Now

This is not a one-off campaign. It is a repeatable operating model built for pressure and scale.

  • Internet-facing applications become the entry point
  • Legitimate tools like PowerShell, PsExec, and RDP accelerate movement inside the network
  • AV tampering and backup disruption reduce recovery options
  • Double extortion raises the cost of every minute lost

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, this attack does not succeed.

Unknown payloads are intercepted the moment they execute.
Encryption routines cannot touch real systems or data.
Code can run without being able to cause damage.
The attack chain collapses before Medusa can turn access into extortion.

Stop the Attack Before the Clock Starts

Storm-1175 proves that patching alone cannot keep pace with adversaries who weaponize disclosure in hours. Security has to remove the attacker’s ability to cause harm at execution.

Protect critical infrastructure before the next exploit wave becomes a ransom event.

Like what you see? Share with a friend.

Related Resources
DevMan Ransomware: The Rise of DragonForce’s Successor
DevMan Ransomware: The Rise of DragonForce’s Successor

The Emergence of DevMan Ransomware: A New RaaS Player DevMan Ransomware is one of the most prominent rising threats of...

WannaCry Aftershock: Why the Threat Still Looms & How to Stay Protected
WannaCry Aftershock: Why the Threat Still Looms & How to Stay Protected

WannaCry remains one of the most infamous cyberattacks in history. In May 2017, this cryptoworm achieved global distribution within hours,...

Nevada Spent $1.5 Million and 28 Days Recovering from a Massive Ransomware Attack
Nevada Spent $1.5 Million and 28 Days Recovering from a Massive Ransomware Attack

In August, 2025, the state government of the state of Nevada was brought to its knees by the biggest ever...

Anubis Ransomware: The RaaS that Encrypts and Wipes Your Data
Anubis Ransomware: The RaaS that Encrypts and Wipes Your Data

The Anubis malware is a relatively new threat that is dominating the headlines because of the dual methods it uses....

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo