INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Storm-1175 Deploys Medusa Ransomware at High Velocity
| 2026-04-07 20:15 CRITICAL HIGHExecutive Summary AI-generated
The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors. The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups including China-linked Storm-2603. Related incidents include Iran's deployment of 'Pseudo-Ransomware' and its revival of Pay2Key operations, highlighting the group's ability to tamper with security solutions like Microsoft Defender Antivirus. The use of Medusa Ransomware at 'High Velocity', a financially motivated cybercrime group, has been observed in campaigns conducted by Storm-1175 actors who are running up-tempo campaigns to deliver ransomware, putting pressure on organizations to patch critical vulnerabilities faster.
Technical Mitigations AI-generated
* Implement a patching strategy that prioritizes immediate release of patches for critical vulnerabilities, as recommended by Microsoft Threat Intelligence.
* Conduct regular vulnerability assessments and penetration testing to identify potential weaknesses before they can be exploited by Storm-1175 or other threat actors.
* Use secure coding practices and follow best security practices when developing software applications to prevent exploitation of known vulnerabilities.
* Implement a robust incident response plan that includes procedures for responding to Medusa ransomware attacks, such as isolating affected systems and providing support to affected organizations.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Pay2KeyPay2KeyMedusa RansomwareMedusa Ransomware
CVE-2023-21529CVE-2023-21529
CVE-2025-31161CVE-2025-31161
CVE-2026-1731CVE-2026-1731
CVE-2026-23760CVE-2026-23760
CVE-2025-10035CVE-2025-10035
CVE-2024-27198CVE-2024-27198
Target & Sectors
FIVE_EYES
FIVE_EYES
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
February 2023
Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations.
Click on any entity below to view its context and source!
organisation
CVE-2025-31161
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
CVE-2024-27198
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
CVE-2023-21529
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
JetBrains
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
Microsoft Exchange
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
infrastructure
Smartermail
The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was
exploited by various threat groups
, including the China-linked Storm-2603.
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly
similar to a previously disclosed flaw
," the blog post stated.
organisation
GoAnywhere MFT
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly
similar to a previously disclosed flaw
," the blog post stated.
organisation
SmarterMail
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly
similar to a previously disclosed flaw
," the blog post stated.
organisation
MFT
Additionally, Storm-1175 weaponized CVE-2025-10035, a
maximum-severity flaw
in GoAnywhere's Managed File Transfer's (MFT) License Servlet.
organisation
License Servlet
Additionally, Storm-1175 weaponized CVE-2025-10035, a
maximum-severity flaw
in GoAnywhere's Managed File Transfer's (MFT) License Servlet.
infrastructure
Windows
The blog post noted that the threat actors modified the program's settings stored in Windows' registry, allowing Medusa payloads to execute.
To mitigate the threat, organizations should enable Windows Defender Antivirus'
tamper protection
features across the tenant and take advantage of the "DisableLocalAdminMerge" setting, which prevents threat actors from using local administrator privileges to set antivirus exclusions.
The company also urged customers to implement Windows' Credential Guard, a security feature that protects credentials stored in process memory.
organisation
Windows' Credential Guard
The company also urged customers to implement Windows' Credential Guard, a security feature that protects credentials stored in process memory.
organisation
DMZ
Additionally, Microsoft recommended that organizations isolate Web-facing systems from the public Internet, and place any servers that must be publicly accessible behind a Web application firewall, proxy server, or
DMZ
.
March 2024
Storm-1175 deployed Medusa ransomware targeting Microsoft Exchange systems.
Click on any entity below to view its context and source!
organisation
CVE-2025-31161
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
CVE-2024-27198
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
CVE-2023-21529
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
JetBrains
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
organisation
Microsoft Exchange
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a
public disclosure dispute
last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing
mass exploitation
just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the
Patch Tuesday release
for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post).
2025/04/07
Storm-1175 deployed Medusa ransomware against GoAnywhere Managed File Transfer on April 7, 2025.
Click on any entity below to view its context and source!
organisation
GoAnywhere Managed File Transfer
That vulnerability in GoAnywhere Managed File Transfer, was exploited one week before public disclosure last year.
Feb. 6
The vulnerability was initially disclosed on February 6 and quickly came under attack by the Medusa ransomware.
Click on any entity below to view its context and source!
attribution
the Known Exploited
The vulnerability was initially disclosed Feb. 6 and
quickly came under attack
, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
tactic
T1588.006 - Vulnerabilities
The vulnerability was initially disclosed Feb. 6 and
quickly came under attack
, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
attribution
KEV
The vulnerability was initially disclosed Feb. 6 and
quickly came under attack
, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
April 6
Storm-1175 deployed Medusa ransomware on High Velocity systems.
Click on any entity below to view its context and source!
organisation
Storm-1175
Storm-1175 is a financially motivated actor that usually exploits the window between vulnerability disclosure and patch adoption, Microsoft said in a blog post on April 6.
2026/04/07
Storm-1175 Deploys Medusa Ransomware at 'High Velocity'.
Click on any entity below to view its context and source!
infrastructure
Smartermail
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
SmarterMail
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
MFT
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
infrastructure
Ivanti
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
Microsoft Defender Antivirus
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
Exchange
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
Papercut
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
Ivanti Connect Secure and Policy Secure
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
ConnectWise ScreenConnect
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
JetBrains TeamCity
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
SimpleHelp
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
BeyondTrust
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
organisation
Storm-1175
Storm-1175 Deploys Medusa Ransomware at 'High Velocity'.
organisation
Microsoft
A prolific cybercrime group has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks over the past three years, Microsoft has revealed.
Microsoft also tied the exploitation of several zero-day vulnerabilities to the group.
organisation
Implementing Credential Guard
Following its ransomware
guidance
on credential hygiene and limiting lateral movement
Implementing Credential Guard to protect credentials stored in process memory
Turning on tamper protection to prevent attackers from stopping security services or using antivirus exclusions
Removing unapproved RMM installations and adding multi-factor authentication (MFA) to approved ones
Configuring XDR tools to prevent common attack techniques used in ransomware attacks
organisation
Removing
Following its ransomware
guidance
on credential hygiene and limiting lateral movement
Implementing Credential Guard to protect credentials stored in process memory
Turning on tamper protection to prevent attackers from stopping security services or using antivirus exclusions
Removing unapproved RMM installations and adding multi-factor authentication (MFA) to approved ones
Configuring XDR tools to prevent common attack techniques used in ransomware attacks
organisation
MFA
Following its ransomware
guidance
on credential hygiene and limiting lateral movement
Implementing Credential Guard to protect credentials stored in process memory
Turning on tamper protection to prevent attackers from stopping security services or using antivirus exclusions
Removing unapproved RMM installations and adding multi-factor authentication (MFA) to approved ones
Configuring XDR tools to prevent common attack techniques used in ransomware attacks
organisation
Configuring XDR
Following its ransomware
guidance
on credential hygiene and limiting lateral movement
Implementing Credential Guard to protect credentials stored in process memory
Turning on tamper protection to prevent attackers from stopping security services or using antivirus exclusions
Removing unapproved RMM installations and adding multi-factor authentication (MFA) to approved ones
Configuring XDR tools to prevent common attack techniques used in ransomware attacks
organisation
PsExec
It establishes persistence by creating a new user and adding that user to the administrator’s group
It rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
It uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
Legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
Python-based tool
organisation
Cloudflare
It establishes persistence by creating a new user and adding that user to the administrator’s group
It rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
It uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
Legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
Python-based tool
organisation
RMM
It establishes persistence by creating a new user and adding that user to the administrator’s group
It rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
It uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
Legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
Python-based tool
organisation
PDQ Deployer
It establishes persistence by creating a new user and adding that user to the administrator’s group
It rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
It uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
Legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
Python-based tool
organisation
CVE-2026
"
Storm-1175's Exploitation of N-Days and Zero-Days
Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA).
organisation
BeyondTrust Remote Support
"
Storm-1175's Exploitation of N-Days and Zero-Days
Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA).
organisation
Privileged Remote Access
"
Storm-1175's Exploitation of N-Days and Zero-Days
Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA).
organisation
CVE-2025-10035
The group has exploited at least 16 vulnerabilities in this way since 2023, including three zero-day flaws such as CVE-2025-10035.
organisation
DMZ
If they must be connected, organizations should place these systems behind a web application firewall (WAF), reverse proxy, or perimeter network (aka DMZ), the report continued.
Tactical Metrics
Metrics
infrastructure
Smartermail
Affected Product
Click for context!
The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was
exploited by various threat groups
, including the China-linked Storm-2603.
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly
similar to a previously disclosed flaw
," the blog post stated.
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
Metrics
infrastructure
Windows
Affected Product
The blog post noted that the threat actors modified the program's settings stored in Windows' registry, allowing Medusa payloads to execute.
To mitigate the threat, organizations should enable Windows Defender Antivirus'
tamper protection
features across the tenant and take advantage of the "DisableLocalAdminMerge" setting, which prevents threat actors from using local administrator privileges to set antivirus exclusions.
The company also urged customers to implement Windows' Credential Guard, a security feature that protects credentials stored in process memory.
Metrics
infrastructure
Ivanti
Affected Product
Impacket is sometimes used for lateral movement and credential dumping
The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
Intelligence Sources
Dark Reading
2026-04-07
Infosecurity-Magazine
2026-04-07
Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T12:11
Comprehensive Tactical Telemetry
Highly Correlated Entities
34x
organisation
Identified Entity
Storm-1175
entity
6x
vulnerability
Exploited CVE
CVE-2026-23760
cve
6x
tactic
Cyber Operation Type
Ransomware
tactic
6x
attribution
Attributing Entity
Microsoft Threat Intelligence
authority
6x
timeline
Temporal Reference
March 2024
date
5x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
4x
target region
Target Country
Australia
country
3x
infrastructure
Affected Product
Smartermail
software
2x
source region
Origin Country
China
country
2x
malware
Malware Payload
Pay2Key
tool
Contextual Telemetry
Context Block
2 METRICS
general metric
Hours
24
hours
general metric
Vulnerabilities
16
vulnerabilities
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.