Microsoft flags China-based hackers using vicious new ‘rapid attack’ zero-days to launch ransomware at targets across the world
- Storm-1175 rapidly moves from access to ransomware deployment
- Exploits zero-days and n-days across multiple products
- Targets healthcare, finance, education, and professional services
Chinese-speaking hacking collective Storm-1175 is moving fast, going from initial access to full system compromise and data exfiltration in weeks, and sometimes in less than 24 hours, experts have warned.
A new report from Microsoft claims the group was seen leveraging multiple flaws, both zero-days and n-days, in their activities. In some cases, they would even chain various flaws together for better outcomes.
As per the report, Storm-1175 is not a state-sponsored actor, but rather a standalone group interested in profit. They are targeting primarily healthcare organizations, education firms, professional services providers, and companies in the finance sector. Victims are mostly located in the United States, United Kingdom, and Australia.
Article continues below
Dozens of vulnerabilities
The key takeaway here is speed at which the group operates: “Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours,” the researchers said. “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful.”
For initial access, the group slaloms between zero-days and n-days. For zero-days, they were seen abusing bugs even a week before public disclosure, and for n-days, they would try to exploit it as soon as possible – giving defenders very little time to deploy patches and mitigations.
So far more than 16 vulnerabilities were identified as being exposed, affecting 10 products. These include Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708).
Other notable mentions include bugs in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), CrushFTP (CVE‑2025‑31161), SmarterMail (CVE-2025-52691), and BeyondTrust (CVE-2026-1731).
After breaking in, the crooks would deploy a myriad of different tools to enable lateral movement, persistence, and stealth. Before deploying the Medusa ransomware variant, they would disable any antivirus or endpoint protection tools installed.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Storm-1175 rapidly moves from access to ransomware deployment Exploits zero-days and n-days across multiple products Targets healthcare, finance, education, and professional services Chinese-speaking hacking collective Storm-1175 is moving fast, going from initial access to full system compromise and data exfiltration in weeks, and sometimes in less than 24 hours, experts…
