Storm-1175 is a financially motivated, China-based cybercriminal threat actor best known for deploying Medusa ransomware against internet-facing systems in the healthcare, education, finance, and professional services sectors. First tracked by Microsoft Threat Intelligence in 2023, the group operates at a tempo that sets it apart from most ransomware affiliates: it can move from initial access to full ransomware deployment in as little as 24 hours. Symantec tracks the same group under the name Spearwing. Microsoft’s naming convention classifies the group under both China and financially motivated origins, reflecting a threat actor whose infrastructure and activity patterns suggest Chinese nexus but whose operations are primarily driven by financial gain rather than espionage.
Background and Attribution
Microsoft Threat Intelligence began tracking Storm-1175 in 2023. The group’s earliest documented intrusions involved the OWASSRF exploit chain targeting on-premises Microsoft Exchange servers in July 2023, chaining CVE-2022-41080 for initial access through Outlook Web Access and CVE-2022-41082 to achieve remote code execution. This multi-vulnerability chaining approach became a defining characteristic of the group’s methodology.
Storm-1175 operates as a Medusa ransomware affiliate, meaning it uses Medusa’s ransomware-as-a-service infrastructure while the Medusa developers retain control over ransom negotiations. The group is not the exclusive Medusa operator. In July 2024, Microsoft also linked Storm-1175 to attacks deploying Black Basta and Akira ransomware through exploitation of a VMware ESXi authentication bypass vulnerability, indicating the group either works across multiple RaaS platforms or pivots payloads based on operational needs.
The group has no publicly known aliases beyond Spearwing (Symantec). Microsoft has not linked Storm-1175 to any specific Chinese state-sponsored threat cluster, and the available evidence points to a financially motivated criminal actor rather than a state-directed espionage operation.
Targets and Victims
Storm-1175 concentrates on English-speaking markets. Confirmed victim sectors include healthcare, education, professional services, and finance organizations in the United States, United Kingdom, and Australia. Healthcare organizations have borne the brunt of recent campaigns, according to Microsoft’s April 2026 assessment. The Medusa RaaS ecosystem that Storm-1175 operates within has a broader footprint: a joint advisory from the FBI, CISA, and MS-ISAC issued in March 2025 confirmed that Medusa affiliates had collectively impacted more than 300 critical infrastructure organizations across the United States as of February 2025, spanning medical, education, legal, insurance, technology, and manufacturing sectors.
Outside of the three primary countries, Medusa’s broader affiliate network has targeted organizations in Australia, Israel, India, Portugal, the UAE, and other countries. Storm-1175 specifically has shown a preference for organizations running unpatched, internet-facing enterprise software with high administrative value, including file transfer platforms, email servers, remote access gateways, and IT management tools.
Initial Access: Exploiting the Patch Gap
Storm-1175’s defining operational characteristic is its ability to weaponize newly disclosed vulnerabilities before organizations have had time to apply patches. The group systematically targets the window between public vulnerability disclosure and widespread patch adoption. Since 2023, Microsoft has attributed exploitation of more than 16 vulnerabilities to Storm-1175 across 10 software products. In some of the most aggressive documented cases, the group operationalized an exploit within a single day of public disclosure — as observed with CVE-2025-31324 in SAP NetWeaver, which was disclosed on April 24, 2025, and exploited by Storm-1175 the following day.
The group has also demonstrated zero-day capability on at least 3 occasions. Both CVE-2025-10035, a maximum-severity deserialization flaw in Fortra GoAnywhere MFT (CVSS 10.0), and CVE-2026-23760, an authentication bypass in SmarterTools SmarterMail, were exploited by Storm-1175 a full week before public disclosure. A third zero-day remains unidentified, tied to Oracle WebLogic exploitation observed in late 2024. Microsoft noted that both confirmed zero-days shared structural similarities with previously disclosed vulnerabilities in the same products, suggesting the group may have developed or purchased exploits by studying earlier, related flaws.
The full list of CVEs attributed to Storm-1175 since 2023 includes:
CVE-2022-41080andCVE-2022-41082(Microsoft Exchange, OWASSRF chain)CVE-2023-21529(Microsoft Exchange)CVE-2023-27351andCVE-2023-27350(PaperCut)CVE-2023-46805andCVE-2024-21887(Ivanti Connect Secure and Policy Secure)CVE-2024-1708andCVE-2024-1709(ConnectWise ScreenConnect)CVE-2024-27198andCVE-2024-27199(JetBrains TeamCity)CVE-2024-57726,CVE-2024-57727, andCVE-2024-57728(SimpleHelp)CVE-2025-31161(CrushFTP)CVE-2025-31324(SAP NetWeaver, exploited day after disclosure)CVE-2025-10035(Fortra GoAnywhere MFT, exploited as zero-day)CVE-2025-52691(SmarterTools SmarterMail)CVE-2026-23760(SmarterTools SmarterMail, exploited as zero-day)CVE-2026-1731(BeyondTrust)
Post-Compromise Playbook
Once inside a network, Storm-1175 follows a consistent and well-rehearsed attack chain. The group establishes an initial foothold by dropping a web shell or remote access payload, then immediately creates new local administrator accounts to ensure persistent access even if the initial entry point is closed. From that position, lateral movement begins using a combination of living-off-the-land binaries — primarily PowerShell and PsExec — alongside Cloudflare tunnels that the group renames to mimic legitimate Windows binaries like conhost.exe to blend into normal traffic. Where RDP is blocked by policy, Storm-1175 has been observed modifying Windows Firewall rules directly to re-enable it.
Remote monitoring and management tools play a central role throughout the post-compromise phase. Storm-1175 has been observed deploying Atera RMM, Level RMM, N-able, DWAgent, MeshAgent, ConnectWise ScreenConnect, AnyDesk, and SimpleHelp for persistence, command-and-control, and payload delivery. These tools allow the group to blend malicious traffic into trusted, encrypted channels and significantly reduce detection likelihood. Impacket is used for lateral movement and credential dumping via LSASS. Mimikatz handles additional credential harvesting, and the group also enables WDigest credential caching via registry modification to capture plaintext passwords. With domain controller access, Storm-1175 extracts the NTDS.dit Active Directory database for offline cracking and accesses the Security Account Manager for configuration data. The group has also been observed extracting credentials stored in Veeam backup software to expand access to connected systems.
Before deploying ransomware, Storm-1175 systematically tampers with defenses. The group modifies Microsoft Defender Antivirus registry settings to disable protection and adds C:\ to antivirus exclusion paths, allowing payloads to execute without triggering alerts. Data exfiltration precedes encryption using Bandizip to stage files and Rclone to transfer them to attacker-controlled cloud storage — enabling continuous exfiltration throughout the intrusion without requiring manual interaction. Medusa ransomware is then deployed network-wide via PDQ Deployer executing a script called RunFileCopy.cmd, or in more aggressive cases, via a Group Policy update that simultaneously encrypts every domain-joined machine.
Ransomware and Extortion
Storm-1175 operates as a Medusa RaaS affiliate, leveraging Medusa’s double extortion model: victim data is both encrypted and exfiltrated, with the threat of public release on Medusa’s leak site used as additional leverage if the ransom is not paid. CISA has documented at least one case within the broader Medusa ecosystem where a victim paid the ransom and was subsequently contacted by a separate actor claiming the negotiator had stolen the payment, demanding an additional payment for the “true decryptor” — a potential triple extortion scheme. Ransom demands from the broader Medusa RaaS operation range from $100 to $1 million, with the developers retaining control over negotiations even as affiliates handle the intrusions.
Linux Targeting
As of late 2024, Storm-1175 expanded beyond Windows environments, with Microsoft identifying exploitation of vulnerable Oracle WebLogic instances across multiple organizations. The specific vulnerability exploited in those attacks has not been publicly identified. This expansion into Linux infrastructure broadens the group’s potential victim pool and signals continued capability development beyond its historically Windows-focused playbook.
Intelligence and Research References
The primary public documentation on Storm-1175 comes from Microsoft Threat Intelligence, which has published 2 dedicated reports on the group: an October 2025 advisory on active exploitation of CVE-2025-10035 and a comprehensive April 2026 profile on Storm-1175’s high-tempo ransomware operations. The FBI, CISA, and MS-ISAC joint advisory on Medusa ransomware, published March 12, 2025, provides broader context on the RaaS ecosystem Storm-1175 operates within.
