top of page
perceptive_background_267k.jpg

Microsoft links Medusa ransomware affiliate to zero-day attacks

Published:

6 April 2026 at 16:56:01

Alert date:

6 April 2026 at 17:03:19

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Zero-Day Vulnerabilities, Enterprise Applications, Critical Infrastructure

Microsoft has attributed zero-day and n-day exploit attacks to Storm-1175, a China-based cybercriminal group that deploys Medusa ransomware. The group is conducting high-velocity attacks using previously unknown vulnerabilities. This represents an escalation in ransomware tactics, combining zero-day exploits with ransomware deployment. The attribution to a China-based group suggests potential state nexus or advanced capabilities. Microsoft's public attribution indicates the severity and scope of these attacks warrant immediate attention.

Technical details

Storm-1175, a China-based cybercriminal group, deploys Medusa ransomware using high-velocity attacks with n-day and zero-day exploits. They rapidly move from initial access to data exfiltration and ransomware deployment within 24 hours to a few days. The group chains multiple exploits for persistence by creating new user accounts, deploying remote monitoring software, stealing credentials, and disabling security software. They weaponize vulnerabilities within a day and sometimes exploit them a week before patches are released. Recent attacks heavily impact healthcare, education, professional services, and finance sectors in Australia, UK, and US.

Mitigation steps:

Organizations should prioritize patching vulnerable web-facing assets, especially those in the affected product list. Monitor for unauthorized user account creation, deployment of unauthorized remote monitoring software, credential theft activities, and security software being disabled. Implement rapid patch management processes for critical vulnerabilities, particularly for internet-facing systems. Healthcare, education, professional services, and finance sector organizations should be especially vigilant given the targeting patterns.

Affected products:

GoAnywhere MFT
SmarterTools SmarterMail
Microsoft Exchange
Papercut
Ivanti Connect Secure
Ivanti Policy Secure
ConnectWise ScreenConnect
JetBrains TeamCity
SimpleHelp
CrushFTP
BeyondTrust
VMware ESXi

Related links:

https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
https://www.bleepingcomputer.com/news/security/microsoft-critical-goanywhere-bug-exploited-in-ransomware-attacks/
https://www.bleepingcomputer.com/news/security/smartermail-auth-bypass-flaw-now-exploited-to-hijack-admin-accounts/
https://www.bleepingcomputer.com/news/security/cisa-medusa-ransomware-hit-over-300-critical-infrastructure-orgs/
https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page