Storm-1175: China-Based Threat Actor Exploits Zero-Days and N-Days in High-Speed Ransomware Attacks
A China-linked threat actor, tracked as Storm-1175, has been identified as the force behind a surge of high-velocity ransomware attacks, leveraging a mix of zero-day and N-day vulnerabilities to breach internet-facing systems. According to Microsoft Threat Intelligence, the group has demonstrated rapid operational tempo, targeting organizations in healthcare, education, professional services, and finance across Australia, the UK, and the U.S.
Storm-1175 has exploited at least 16 vulnerabilities since 2023, including CVE-2025-10035 and CVE-2026-23760, which were weaponized as zero-days before public disclosure. The group has also chained multiple exploits (e.g., OWASSRF) for post-compromise activity, often gaining initial access through recently disclosed flaws before patches are widely deployed.
Once inside a network, the financially motivated actor moves swiftly exfiltrating data and deploying Medusa ransomware within 24 hours in some cases. Persistence is established through new user accounts, web shells, or legitimate remote monitoring and management (RMM) tools, while security defenses are disrupted via credential theft, firewall manipulation, and antivirus exclusions.
Recent attacks have expanded to Linux systems, including vulnerable Oracle WebLogic instances, though the exact exploited flaw remains unidentified. Storm-1175’s tactics include:
- Living-off-the-land binaries (LOLBins) like PowerShell, PsExec, and Impacket for lateral movement.
- PDQ Deployer for payload delivery, including Medusa ransomware.
- Credential dumping via Mimikatz and Impacket.
- Data exfiltration using Bandizip and Rclone.
- Abuse of RMM tools (e.g., AnyDesk, Atera, ConnectWise ScreenConnect) to blend malicious traffic with legitimate encrypted communications.
The group’s ability to rotate exploits quickly capitalizing on the window between disclosure and patch adoption highlights the growing threat of dual-use infrastructure in cyberattacks.
Source: https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "ORAMIC1775551007",
"linkid": "oracle, microsoft-threat-intelligence",
"type": "Ransomware",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Healthcare',
'Education',
'Professional Services',
'Finance'],
'location': ['Australia', 'UK', 'U.S.'],
'type': ['Healthcare',
'Education',
'Professional Services',
'Finance']}],
'attack_vector': ['Zero-day Exploits',
'N-day Exploits',
'Internet-facing Systems'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Corporate Data']},
'description': 'A China-linked threat actor, tracked as Storm-1175, has been '
'identified as the force behind a surge of high-velocity '
'ransomware attacks, leveraging a mix of zero-day and N-day '
'vulnerabilities to breach internet-facing systems. The group '
'has demonstrated rapid operational tempo, targeting '
'organizations in healthcare, education, professional '
'services, and finance across Australia, the UK, and the U.S. '
'Storm-1175 has exploited at least 16 vulnerabilities since '
'2023, including CVE-2025-10035 and CVE-2026-23760, which were '
'weaponized as zero-days before public disclosure. The group '
'chains multiple exploits for post-compromise activity, often '
'gaining initial access through recently disclosed flaws '
'before patches are widely deployed. Once inside a network, '
'the financially motivated actor moves swiftly, exfiltrating '
'data and deploying Medusa ransomware within 24 hours in some '
'cases. Persistence is established through new user accounts, '
'web shells, or legitimate remote monitoring and management '
'(RMM) tools, while security defenses are disrupted via '
'credential theft, firewall manipulation, and antivirus '
'exclusions.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Disruption via credential theft, firewall '
'manipulation, and antivirus exclusions',
'systems_affected': ['Windows', 'Linux']},
'initial_access_broker': {'backdoors_established': ['Web shells', 'RMM tools'],
'entry_point': 'Internet-facing systems via '
'zero-day/N-day exploits'},
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
'zero-day/N-day vulnerabilities',
'Abuse of legitimate RMM tools']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'references': [{'source': 'Microsoft Threat Intelligence'}],
'threat_actor': 'Storm-1175',
'title': 'Storm-1175: China-Based Threat Actor Exploits Zero-Days and N-Days '
'in High-Speed Ransomware Attacks',
'type': 'Ransomware Attack',
'vulnerability_exploited': ['CVE-2025-10035',
'CVE-2026-23760',
'OWASSRF',
'Oracle WebLogic (unidentified flaw)']}