Storm-1175 Exploits Zero-Days to Deploy Medusa
Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity
What Happened
Microsoft has publicly linked the financially motivated, China-based threat actor Storm-1175 to a campaign of “high-velocity” attacks deploying Medusa ransomware. The group’s operational tempo is fueled by the weaponization of both zero-day and n-day vulnerabilities. This approach allows them to rapidly compromise systems before patches are widely applied or known exploits are fully mitigated, directly leading to ransomware encryption and extortion.
Why It Matters
This activity represents a significant escalation in the ransomware threat landscape. The combination of a financially driven Chinese group, access to zero-day exploits, and a high-speed attack methodology breaks from common patterns. It indicates that sophisticated exploit development is no longer the exclusive domain of state-sponsored espionage groups but is being leveraged for direct criminal profit. For defenders, this drastically shortens the window between vulnerability disclosure and active, damaging exploitation.
Technical Details
While specific CVEs were not disclosed in the public attribution, Microsoft’s report confirms the use of a “combination” of vulnerabilities. The term “n-day” refers to known vulnerabilities where a patch exists but may not be deployed, while “zero-day” indicates flaws unknown to the vendor at the time of exploitation. This multi-exploit strategy allows Storm-1175 to pivot across different initial access vectors, increasing the likelihood of a successful breach. The final payload is the Medusa ransomware, which encrypts files and demands payment for decryption.
Immediate Risk
The immediate risk is HIGH for organizations with delayed patch cycles, especially those using internet-facing services potentially targeted by the exploited vulnerabilities. The “high-velocity” nature of the attacks suggests automated or highly efficient processes, meaning a single unpatched system can lead to a network-wide ransomware incident in a short timeframe. All organizations should treat this as a pressing reminder to audit and accelerate their vulnerability management programs.
Security Insight
This campaign mirrors the tactical evolution seen when Russian-speaking cybercriminals began incorporating zero-days into ransomware operations several years ago, which led to a surge in high-impact breaches. Storm-1175’s adoption of this model suggests a potential new “gold standard” for top-tier ransomware affiliates globally, increasing market pressure for other groups to acquire similar capabilities. The defensive takeaway is not just to patch faster, but to assume that the grace period for n-day vulnerabilities is collapsing; compensating controls like robust application allow-listing and network segmentation are now critical interim measures, not secondary priorities.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
Cybersecurity roundup for 2026-04-06 to 2026-04-12. 10 CVE advisories, 2 breach reports, 4 threat news stories.
Microsoft has released the KB5079391 preview cumulative update for Windows 11 24H2 and 25H2, which includes 29 changes, such as Smart App Control and Display improvements. [...]
A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge de
An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers