The financially motivated threat group tracked as Storm-1175 is operating at an accelerated pace to deliver Medusa ransomware, compressing the timeline between vulnerability disclosure and initial access.
Recent analysis from Microsoft Threat Intelligence, reported by Dark Reading's Rob Wright, details how Storm-1175 conducts high-velocity campaigns that target known vulnerabilities. The group specifically focuses on the operational window between a vulnerability's initial public disclosure and the widespread deployment of security patches. Microsoft researchers have also observed the group utilizing several zero-day vulnerabilities prior to public awareness.
Storm-1175's methodology relies heavily on speed, prioritizing rapid progression from initial access to data exfiltration and the introduction of Medusa ransomware. According to Microsoft, this sequence is completed "often within a few days and, in some cases, within 24 hours."
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States," Microsoft noted in its technical analysis.
This accelerated timeline highlights the necessity for security teams to reduce their mean time to patch for critical flaws. Sherrod DeGrippo, general manager of threat intelligence at Microsoft, observed that given the group's operational speed, "patches should be prioritized immediately upon release."
Vulnerability utilization and rapid timelines
Microsoft researchers identified that Storm-1175 has rapidly leveraged more than a dozen known vulnerabilities (N-days). The most recent example is CVE-2026-1731, a critical remote code execution vulnerability affecting BeyondTrust Remote Support and older versions of Privileged Remote Access (PRA). Following its initial disclosure on February 6, the flaw was quickly targeted in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog one week later.
Other notable vulnerabilities targeted by Storm-1175 include:
CVE-2025-31161: A critical authentication bypass vulnerability in CrushFTP's file transfer software.
CVE-2024-27198: A critical authentication bypass flaw affecting JetBrains' TeamCity, which saw widespread scanning and targeting days after its March 2024 disclosure.
CVE-2023-21529: A Microsoft Exchange vulnerability disclosed in February 2023, marking the first confirmation of its use by this specific group.
In addition to N-days, Microsoft connected several zero-day vulnerabilities to Storm-1175 operations. A recent instance involves CVE-2026-23760, a critical authentication bypass in SmarterMail that was also utilized by other threat groups, including the China-linked Storm-2603. Furthermore, Storm-1175 operationalized CVE-2025-10035, a maximum-severity flaw in the License Servlet of GoAnywhere Managed File Transfer (MFT). Microsoft's telemetry indicates both zero-days were leveraged approximately one week prior to their respective public disclosures.
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," Microsoft stated. "These factors may have helped to allow subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities."
Post-access movement and security tampering
Following initial access, Storm-1175 relies on a specific set of tools to navigate affected environments. The group frequently uses legitimate remote monitoring and management (RMM) software to support lateral movement, the Impacket framework for credential dumping, and the command-line utility Rclone to exfiltrate data.
A notable component of the group's methodology is its capability to interfere with security solutions, specifically Microsoft Defender Antivirus. Threat actors modified program settings stored within the Windows registry, creating conditions that allowed Medusa ransomware components to execute without interruption.
Implementing these registry modifications requires the unauthorized party to first secure highly privileged account access, making the credential dumping phase of the sequence a critical intervention point for defenders.
"For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access," Microsoft noted.
Defensive recommendations
To protect environments against these rapid operational timelines and tampering techniques, security teams can implement several practical hardening measures.
To prevent security software interference, organizations should enable Windows Defender Antivirus tamper protection features across their tenants. Additionally, security administrators can apply the DisableLocalAdminMerge setting, which prevents unauthorized users including leveraging local administrator privileges and establish antivirus exclusions.
For infrastructure protection, organizations are advised to isolate web-facing systems from the broader internet where possible. Any servers requiring public accessibility should be placed behind a Web Application Firewall (WAF), a proxy server, or within a properly segmented DMZ. Finally, enabling Windows Credential Guard will help protect credentials stored in process memory, directly mitigating the credential dumping techniques that allow the later stages of this methodology.