Recent threat intelligence highlights a surge in high-velocity ransomware attacks driven by the Storm-1175 threat group, which rapidly exploits both zero-day and newly disclosed vulnerabilities to compromise internet-facing systems within hours. The group leverages trusted administrative tools, remote monitoring software, and living-off-the-land techniques to evade detection, establish persistence, and move laterally across enterprise environments.
These attacks often culminate in the deployment of Medusa ransomware alongside data exfiltration, with the entire intrusion lifecycle frequently completed within 24 to 72 hours. Critical sectors, including healthcare, finance, education, and professional services, are particularly impacted, underscoring the need for accelerated patching, continuous monitoring of exposed assets, and stricter controls over administrative tools.
Storm-1175 initiates intrusions by rapidly exploiting internet-facing applications using a combination of zero-day and N-day vulnerabilities, often chaining multiple exploits to deepen access. Observed vulnerabilities include CVE-2025-10035 and others affecting enterprise platforms.
Following initial compromise, the attackers establish persistence through web shells, newly created user accounts, or deployment of legitimate remote monitoring tools. Credential harvesting is conducted using widely available tools such as Mimikatz and Impacket to escalate privileges and expand access.
Lateral movement is achieved using living-off-the-land binaries such as PowerShell and PsExec, as well as remote monitoring and management platforms. The attackers weaken endpoint defenses by modifying Microsoft Defender Antivirus exclusions and firewall configurations. Data is then staged and exfiltrated using tools such as Rclone before Medusa ransomware is deployed across the environment. This process is typically completed within a short timeframe, often within 24 to 72 hours of initial access. The details and technicalities of the attack campaign are discussed further,
Storm-1175 primarily gains initial access by exploiting zero-day and recently disclosed vulnerabilities in internet-facing systems. Frequently targeted platforms include Microsoft Exchange, Fortra GoAnywhere MFT, and SmarterMail, among others. In some cases, phishing campaigns, misconfigured remote monitoring tools, or exposed administrative interfaces are also used to initiate compromise.
The Infection chain was identified as follows,
Storm-1175 demonstrates advanced technical capabilities in both exploitation and post-compromise operations. The group effectively combines zero-day and N-day vulnerabilities to achieve rapid initial access and often chains multiple exploits to increase its foothold within targeted environments.
Once inside, persistence is maintained through web shells, new user accounts, and legitimate remote management tools. Credential harvesting using Mimikatz and Impacket enables privilege escalation, while lateral movement is facilitated through built-in system tools such as PowerShell and PsExec, as well as enterprise management platforms like PDQ Deployer.
The group employs strong defense evasion techniques, including modification of Microsoft Defender settings and firewall rules, and leverages legitimate remote management channels to mask malicious activity. Data exfiltration is conducted using tools such as Rclone, and ransomware deployment follows quickly, often within hours. The ability to rapidly weaponize newly disclosed vulnerabilities and operate across both Windows and Linux environments demonstrates a high level of technical maturity and operational agility.
Storm-1175 is assessed to be a financially motivated threat actor with a focus on rapid, high-impact ransomware campaigns. Initially targeting Windows environments, the group has expanded its operations to include Linux-based systems such as Oracle WebLogic servers.
Since 2023, the group has exploited multiple known vulnerabilities, including several zero-days used prior to public disclosure. Their evolution reflects a dynamic and adaptive approach, characterized by rapid exploitation cycles, use of dual-use administrative tools, and a focus on high-value internet-facing assets.
Storm-1175 campaigns have been observed targeting organizations across multiple regions, including the United States, the United Kingdom, and Australia. Affected industries include healthcare, finance, education, and professional services.
The group’s operations are characterized by speed and scalability, with automated lateral movement techniques and the use of legitimate remote management tools enabling rapid spread across networks. The reliance on exposed internet-facing systems suggests that any organization with vulnerable infrastructure may be at risk, regardless of geographic location.
This campaign represents a modern ransomware threat model characterized by rapid exploitation, stealthy use of legitimate tools, and accelerated attack timelines. By blending malicious activity with trusted administrative infrastructure, Storm-1175 is able to bypass traditional defenses and execute high-impact attacks within short timeframes.
Organizations must adopt proactive defense strategies that prioritize timely patching, strict access control, continuous monitoring, and detection of abnormal administrative activity to mitigate the risk posed by such high-velocity threats.
This campaign represents a modern ransomware threat model characterized by rapid exploitation, stealthy use of legitimate tools, and accelerated attack timelines. By blending malicious activity with trusted administrative infrastructure, Storm-1175 is able to bypass traditional defenses and execute high-impact attacks within short timeframes.
Organizations must adopt proactive defense strategies that prioritize timely patching, strict access control, continuous monitoring, and detection of abnormal administrative activity to mitigate the risk posed by such high-velocity threats.
