INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Medusa ransomware affiliate linked to zero-day attacks
| 2026-04-06 20:47 CRITICAL MEDIUMExecutive Summary AI-generated
The Storm-1175 cybercrime group, known for deploying Medusa ransomware payloads, has been rapidly expanding its attack capabilities. With a high operational tempo and proficiency in identifying exposed perimeter assets, the threat actor has proven successful in recent intrusions impacting healthcare organizations, education sectors, and finance institutions across Australia, the United Kingdom, and the United States. The group's use of zero-day exploits, chaining multiple attacks to gain persistence on compromised systems, and deploying remote monitoring software have also been noted. Furthermore, Microsoft has linked Storm-1175 to vulnerabilities such as CVE-2023-21529 in Microsoft Exchange,CVE-2024-21887 in Papercut, and CVE-2024-1709 and CVE-2024-1708 in ConnectWise ScreenConnect, highlighting the group's adaptability and threat landscape.
Technical Mitigations AI-generated
* Implement automated pentesting and vulnerability scanning to identify potential entry points for Medusa ransomware attacks.
* Regularly update software products, including Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, and JetBrains TeamCity, to ensure timely patching of known vulnerabilities.
* Use a combination of security controls, such as firewalls, intrusion detection systems, and antivirus software, to detect and prevent Medusa ransomware attacks.
* Implement a robust incident response plan that includes procedures for responding to zero-day exploits within 24 hours of breach.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Black BastaBlack Basta
CVE-2024-57728CVE-2024-57728
CVE-2026-1731CVE-2026-1731
CVE-2023-21529CVE-2023-21529
CVE-2023-46805CVE-2023-46805
CVE-2024-27199CVE-2024-27199
CVE-2024-1709CVE-2024-1709
CVE-2025-52691CVE-2025-52691
CVE-2024-27198CVE-2024-27198
CVE-2024-57726CVE-2024-57726
CVE-2023-27350CVE-2023-27350
CVE-2024-1708CVE-2024-1708
CVE-2024-21887CVE-2024-21887
CVE-2026-23760CVE-2026-23760
CVE-2024-57727CVE-2024-57727
CVE-2025-10035CVE-2025-10035
CVE-2023-27351CVE-2023-27351
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
July 2024
Microsoft linked the Storm-1175 threat group to Black Basta and Akira ransomware attacks exploiting a VMware ESXi authentication-bypass flaw.
Click on any entity below to view its context and source!
tactic
Ransomware
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that
exploited a VMware ESXi authentication-bypass flaw
.
malware
Black Basta
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that
exploited a VMware ESXi authentication-bypass flaw
.
organisation
VMware
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that
exploited a VMware ESXi authentication-bypass flaw
.
March 2025
Threat actors linked Medusa ransomware to zero-day attacks targeting over 300 critical infrastructure organizations in the United States.
Click on any entity below to view its context and source!
tactic
Ransomware
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
target_region
United States
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
attribution
CISA
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
attribution
FBI
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
infrastructure
300 critical infrastructure organizations
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
March 2
Threat actors linked Medusa ransomware affiliate to a zero-day attack on the hospital.
Click on any entity below to view its context and source!
2026/04/06
Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days or 24 hours.
Click on any entity below to view its context and source!
organisation
Storm-1175
Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks.
organisation
Microsoft
Microsoft links Medusa ransomware affiliate to zero-day attacks.
Medusa ransomware group using zero-days to launch attacks within 24 hours of breach, Microsoft says.
organisation
GoAnywhere MFT
In October, Microsoft reported that
Storm-1175 had been exploiting
a maximum-severity GoAnywhere MFT vulnerability (
CVE-2025-10035
) in Medusa ransomware attacks for over one week before it was patched.
infrastructure
Smartermail
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," Microsoft added.
The Microsoft blog highlights two recent bugs — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer — as examples of Medusa actors exploiting vulnerabilities one week before public disclosure.
Another vulnerability Storm-1175 exploited as a zero-day was
CVE-2026-23760
, an
authentication bypass in SmarterTools' SmarterMail
email server and collaboration tool.
Microsoft has also seen them exploit vulnerabilities in JetBrains TeamCity (
CVE-2024-27198
and
CVE-2024-27199
), SimpleHelp (
CVE-2024-57726
,
CVE-2024-57727
, and
CVE-2024-57728
), CrushFTP (
CVE‑2025‑31161
), SmarterMail (
CVE-2025-52691
), and BeyondTrust (
CVE-2026-1731
).
organisation
SmarterMail
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," Microsoft added.
organisation
Recorded Future News
A Microsoft spokesperson told Recorded Future News that the incidents are part of a growing trend where ransomware attackers weaponize vulnerabilities almost immediately.
organisation
ConnectWise ScreenConnect
While many attacks have lasted just 24 hours, Medusa incidents typically run for five to six days and rely heavily on legitimate remote management tools like ConnectWise ScreenConnect, AnyDesk and SimpleHelp.
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
SimpleHelp
While many attacks have lasted just 24 hours, Medusa incidents typically run for five to six days and rely heavily on legitimate remote management tools like ConnectWise ScreenConnect, AnyDesk and SimpleHelp.
Microsoft has also seen them exploit vulnerabilities in JetBrains TeamCity (
CVE-2024-27198
and
CVE-2024-27199
), SimpleHelp (
CVE-2024-57726
,
CVE-2024-57727
, and
CVE-2024-57728
), CrushFTP (
CVE‑2025‑31161
), SmarterMail (
CVE-2025-52691
), and BeyondTrust (
CVE-2026-1731
).
organisation
AnyDesk
While many attacks have lasted just 24 hours, Medusa incidents typically run for five to six days and rely heavily on legitimate remote management tools like ConnectWise ScreenConnect, AnyDesk and SimpleHelp.
organisation
CVE-2025-10035
The Microsoft blog highlights two recent bugs — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer — as examples of Medusa actors exploiting vulnerabilities one week before public disclosure.
organisation
GoAnywhere Managed File Transfer
The Microsoft blog highlights two recent bugs — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer — as examples of Medusa actors exploiting vulnerabilities one week before public disclosure.
organisation
SmarterTools
Another vulnerability Storm-1175 exploited as a zero-day was
CVE-2026-23760
, an
authentication bypass in SmarterTools' SmarterMail
email server and collaboration tool.
organisation
JetBrains TeamCity
Microsoft has also seen them exploit vulnerabilities in JetBrains TeamCity (
CVE-2024-27198
and
CVE-2024-27199
), SimpleHelp (
CVE-2024-57726
,
CVE-2024-57727
, and
CVE-2024-57728
), CrushFTP (
CVE‑2025‑31161
), SmarterMail (
CVE-2025-52691
), and BeyondTrust (
CVE-2026-1731
).
organisation
BeyondTrust
Microsoft has also seen them exploit vulnerabilities in JetBrains TeamCity (
CVE-2024-27198
and
CVE-2024-27199
), SimpleHelp (
CVE-2024-57726
,
CVE-2024-57727
, and
CVE-2024-57728
), CrushFTP (
CVE‑2025‑31161
), SmarterMail (
CVE-2025-52691
), and BeyondTrust (
CVE-2026-1731
).
organisation
CVE-2023-21529
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
CVE-2023-27351
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
CVE-2023-27350
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
infrastructure
Ivanti
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
In
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
Microsoft Exchange
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
Ivanti Connect Secure and Policy Secure
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
organisation
University of Mississippi Medical Center
The group, which
emerged
in 2021, has repeatedly shown a willingness to
target healthcare facilities
and
municipal governments
across the U.S.
The group most recently
claimed
attacks on
New Jersey’s Passaic County
and the
University of Mississippi Medical Center (UMMC)
.
organisation
the Commonwealth of Independent States
Experts believe the Medusa operation is based in Russia due to its avoidance of targets in the Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.
Tactical Metrics
Metrics
infrastructure
300
Critical Infrastructure Organizations
Click for context!
CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks
had impacted over 300 critical infrastructure organizations
across the United States.
Metrics
infrastructure
Smartermail
Affected Product
"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," Microsoft added.
Another vulnerability Storm-1175 exploited as a zero-day was
CVE-2026-23760
, an
authentication bypass in SmarterTools' SmarterMail
email server and collaboration tool.
Microsoft has also seen them exploit vulnerabilities in JetBrains TeamCity (
CVE-2024-27198
and
CVE-2024-27199
), SimpleHelp (
CVE-2024-57726
,
CVE-2024-57727
, and
CVE-2024-57728
), CrushFTP (
CVE‑2025‑31161
), SmarterMail (
CVE-2025-52691
), and BeyondTrust (
CVE-2026-1731
).
The Microsoft blog highlights two recent bugs — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer — as examples of Medusa actors exploiting vulnerabilities one week before public disclosure.
Metrics
infrastructure
Ivanti
Affected Product
"
In recent campaigns, Storm-1175 has exploited more than 16 vulnerabilities across 10 software products, including Microsoft Exchange (
CVE-2023-21529
), Papercut (
CVE-2023-27351
and
CVE-2023-27350
), Ivanti Connect Secure and Policy Secure (
CVE-2023-46805
and
CVE-2024-21887
), and ConnectWise ScreenConnect (
CVE-2024-1709
and
CVE-2024-1708
).
Intelligence Sources
Data Breaches
2026-04-06
TheRecord
2026-04-06
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T12:05
Comprehensive Tactical Telemetry
Highly Correlated Entities
22x
organisation
Identified Entity
Storm-1175
entity
16x
vulnerability
Exploited CVE
CVE-2025-10035
cve
5x
target region
Target Country
China
country
5x
attribution
Attributing Entity
CISA
authority
4x
timeline
Temporal Reference
March 2025
date
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
infrastructure
Affected Product
Smartermail
software
2x
source region
Origin Region
CIS
region
Contextual Telemetry
Context Block
6 METRICS
infrastructure
Critical Infrastructure Organizations
300
critical infrastructure organizations
general metric
Hours
24
hours
malware
Malware Payload
Black Basta
tool
general metric
Vulnerabilities
16
vulnerabilities
general metric
Software Products
10
software products
source region
Origin Country
Russian Federation
country
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.