{"id":60439,"date":"2026-04-06T16:00:00","date_gmt":"2026-04-06T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146341"},"modified":"2026-04-06T16:00:00","modified_gmt":"2026-04-06T16:00:00","slug":"storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/","title":{"rendered":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-0719c626-0f78-4a65-b5dd-95d4ff6b1c80\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-0719c626-0f78-4a65-b5dd-95d4ff6b1c80\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor\u2019s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States.<\/p>\n<p class=\"wp-block-paragraph\">The pace of Storm-1175\u2019s campaigns is enabled by the threat actor\u2019s consistent use of recently disclosed vulnerabilities to obtain initial access. While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity. After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment.<\/p>\n<p class=\"wp-block-paragraph\">In this blog post, we delve into the attack techniques attributed to Storm-1175 over several years. While Storm-1175\u2019s methodology aligns with the tactics, techniques, and procedures (TTPs) of many tracked ransomware actors, analysis of their post-compromise tactics provides essential insights into how organizations can harden and defend against attackers like Storm-1175, informing opportunities to disrupt attackers even if they have gained initial access to a network.<\/p>\n<h2 class=\"wp-block-heading\" id=\"storm-1175-s-rapid-attack-chain-from-initial-access-to-impact\">Storm-1175\u2019s rapid attack chain: From initial access to impact<\/h2>\n<p class=\"wp-block-paragraph\"><strong>Exploitation of vulnerable web-facing assets<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access. Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:<\/p>\n<p class=\"wp-block-paragraph\">Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected. In some cases, Storm-1175 has weaponized exploits for disclosed vulnerabilities in as little as one day, as was the case for CVE-2025-31324 impacting SAP NetWeaver: the security issue was disclosed on April 24, 2025, and we observed Storm-1175 exploitation soon after on April 25.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\" alt=\"Diagram showing timeline of Storm-1175 exploitation, of various vulnerabilities over the years, including date of disclosure and date of weaponization\" class=\"wp-image-146347 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\"><figcaption class=\"wp-element-caption\">Figure 1. Timeline of disclosure and exploitation of vulnerabilities used by Storm-1175 in campaigns<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">In multiple intrusions, Storm-1175 has chained together exploits to enable post-compromise activities like remote code execution (RCE). For example, in July 2023, Storm-1175 exploited two vulnerabilities affecting on-premises Microsoft Exchange Servers, <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/owassrf-exploit-analysis-and-recommendations\/\">dubbed \u201cOWASSRF\u201d by public researchers<\/a>: exploitation of CVE\u20112022\u201141080 provided initial access by exposing Exchange PowerShell via Outlook Web Access (OWA), and Storm-1175 subsequently exploited CVE\u20112022\u201141082 to achieve remote code execution.<\/p>\n<p class=\"wp-block-paragraph\">Storm-1175 has also demonstrated a capability for targeting Linux systems as well: in late 2024, Microsoft Threat Intelligence identified the exploitation of vulnerable Oracle WebLogic instances across multiple organizations, though we were unable to identify the exact vulnerability being exploited in these attacks.<\/p>\n<p class=\"wp-block-paragraph\">Finally, we have also observed the use of at least three zero-day vulnerabilities including, most recently, CVE-2026-23760 in SmarterMail, which was exploited by Storm-1175 the week prior to public disclosure, and CVE-2025-10035 in GoAnywhere Managed File Transfer, also exploited one week before public disclosure. While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly <a href=\"https:\/\/labs.watchtowr.com\/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass\/\">similar to a previously disclosed flaw<\/a>; these factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities. Regardless, as attackers increasingly become more adept at identifying new vulnerabilities, understanding your digital footprint\u2014such as through the use of public scanning interfaces like <a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-external-attack-surface-management\">Microsoft Defender External Attack Surface Management<\/a>\u2014is essential to defending against perimeter network attacks.<\/p>\n<h3 class=\"wp-block-heading\" id=\"covert-persistence-and-lateral-movement\">Covert persistence and lateral movement<\/h3>\n<p class=\"wp-block-paragraph\">During exploitation, Storm-1175 typically creates a web shell or drops a remote access payload to establish their initial hold in the environment. From this point, Microsoft Threat Intelligence has observed Storm-1175 moving from initial access to ransomware deployment in as little as one day, though many of the actor\u2019s attacks have occurred over a period of five to six days.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-attack-chain.webp\" alt=\"Diagram showing the Storm-1175 attack chain from Exploitation to Impact\" class=\"wp-image-146345 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-attack-chain.webp\"><figcaption class=\"wp-element-caption\">Figure 2. Storm-1175 attack chain<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">On the initially compromised device, the threat actor often establishes persistence by creating a new user and adding that user to the administrators group:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-figure3.webp\" alt=\"Screenshot of code for creating new user account and adding as administrator\" class=\"wp-image-146352 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-figure3.webp\"><figcaption class=\"wp-element-caption\">Figure 3. Storm-1175 creates a new user account and adds it as an administrator<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">From this account, Storm-1175 begins their reconnaissance and lateral movement activity. Storm-1175 has a rotation of tools to accomplish these subsequent attack stages. Most commonly, we observe the use of living-off-the-land binaries (LOLBins), including PowerShell and PsExec, followed by the use of Cloudflare tunnels (renamed to mimic legitimate binaries like <em>conhost.exe<\/em>) to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices. If RDP is not allowed in the environment, Storm-1175 has been observed using administrator privileges to modify the Windows Firewall policy to enable Remote Desktop.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-figure4.webp\" alt=\"Screenshot of code for modifying the firewall and enabling RDP\" class=\"wp-image-146353 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-figure4.webp\"><figcaption class=\"wp-element-caption\">Figure 4. From an initial foothold after the compromise of a SmarterMail application, Storm-1175 modifies the firewall and enables remote desktop access for lateral movement, writing the results of the command to a TXT file<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Storm-1175 has also demonstrated a heavy reliance on remote monitoring and management (RMM) tools during post-compromise activity. Since 2023, Storm-1175 has used multiple RMMs, including:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Atera RMM<\/li>\n<li class=\"wp-block-list-item\">Level RMM<\/li>\n<li class=\"wp-block-list-item\">N-able<\/li>\n<li class=\"wp-block-list-item\">DWAgent<\/li>\n<li class=\"wp-block-list-item\">MeshAgent<\/li>\n<li class=\"wp-block-list-item\">ConnectWise ScreenConnect<\/li>\n<li class=\"wp-block-list-item\">AnyDesk<\/li>\n<li class=\"wp-block-list-item\">SimpleHelp<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">While often used by enterprise IT teams, these RMM tools have multi-pronged functionality that could also allow adversaries to maintain persistence in a compromised network, create new user accounts, enable an alternative command-and-control (C2) method, deliver additional payloads, or use as an interactive remote desktop session.<\/p>\n<p class=\"wp-block-paragraph\">In many attacks, Storm-1175 relies on PDQ Deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network.<\/p>\n<p class=\"wp-block-paragraph\">Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities. Microsoft Defender for Endpoint has a dedicated attack surface reduction rule to defend against lateral movement techniques used by Impacket: <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands\">Block process creations originating from PSExec and WMI commands<\/a>); <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/26\/how-to-prevent-lateral-movement-attacks-using-microsoft-365-defender\/\">protecting lateral movement pathways<\/a> can also mitigate Impacket.<\/p>\n<h3 class=\"wp-block-heading\" id=\"credential-theft\">Credential theft<\/h3>\n<p class=\"wp-block-paragraph\">Impacket is further used to facilitate credential dumping through LSASS; the threat actor also leveraged the commodity credential theft tool Mimikatz in identified intrusions in 2025. Additionally, Storm-1175 has relied on known living-off-the-land techniques for stealing credentials, such as by modifying the registry entry <em>UseLogonCredential<\/em> to turn on WDigest credential caching, or using Task Manager to dump LSASS credentials; for both of these attack techniques, the threat actor must obtain local administrative privileges to modify these resources. The attack surface reduction rule <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-credential-stealing-from-the-windows-local-security-authority-subsystem\">block credential stealing from LSASS<\/a> can limit the effectiveness of this type of attack, and\u2014more broadly\u2014limiting the use of local administrator rights by end users. Ensuring that local administrator passwords are not shared through the environment can also reduce the risk of these LSASS dumping techniques.<\/p>\n<p class=\"wp-block-paragraph\">We have also observed that after gaining administrator credentials, Storm-1175 has used a script to recover passwords from Veeam backup software, which is used to connect to remote hosts, therefore enabling ransomware deployment to additional connected systems.<\/p>\n<p class=\"wp-block-paragraph\">With sufficient privileges, Storm-1175 can then use tools like PsExec to pivot to a Domain Controller, where they have accessed the NTDS.dit dump, a copy of the Active Directory database which contains user data and passwords that can be cracked offline. This privileged position has also granted Storm-1175 access to the security account manager (SAM), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale.<\/p>\n<h3 class=\"wp-block-heading\" id=\"security-tampering-for-ransomware-delivery\">Security tampering for ransomware delivery<\/h3>\n<p class=\"wp-block-paragraph\">Storm-1175 modifies the Microsoft Defender Antivirus settings stored in the registry to tamper with the antivirus software and prevent it from blocking ransomware payloads; in order to accomplish this, an attacker must have access to highly privileged accounts that can modify the registry directly. For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access.<\/p>\n<p class=\"wp-block-paragraph\">Storm-1175 has also used encoded PowerShell commands to add the <em>C:\\<\/em> drive to the antivirus exclusion path, preventing the security solution from scanning the drive and allowing payloads to run without any alerts. Defenders can harden against these tampering techniques by combining tamper protection with the <em>DisableLocalAdminMerge<\/em> setting, which prevents attackers from using local administrator privileges to set antivirus exclusions.<\/p>\n<h3 class=\"wp-block-heading\" id=\"data-exfiltration-and-ransomware-deployment\">Data exfiltration and ransomware deployment<\/h3>\n<p class=\"wp-block-paragraph\">Like other <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">ransomware as a service<\/a> (RaaS) offerings, Medusa offers a leak site to facilitate double extortion operations for its affiliates: attackers not only encrypt data, but steal the data and hold it for ransom, threatening to leak the files publicly if a ransom is not paid. To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration. Data synchronization tools like Rclone allow threat actors to easily transfer large volumes of data to a remote attacker-owned cloud resource. These tools also provide data synchronization capabilities, moving newly created or updated files to cloud resources in real-time to enable continuous exfiltration throughout all stages of the attack without needing attacker interaction.<\/p>\n<p class=\"wp-block-paragraph\">Finally, having gained sufficient access throughout the network, Storm-1175 frequently leverages PDQ Deployer to launch a script (<em>RunFileCopy.cmd<\/em>) and deliver Medusa ransomware payloads. In some cases, Storm-1175 has alternatively used highly privileged access to create a Group Policy update to broadly deploy ransomware.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">To defend against Storm-1175 TTPs and similar activity, Microsoft recommends the following mitigation measures:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Use a perimeter scanning tool like Microsoft Defender External Attack Surface Management to understand your organization\u2019s digital footprint and potential attack surface. Targeting web-facing vulnerabilities continues to be one of the most effective attack methods for initial access.<\/li>\n<li class=\"wp-block-list-item\">Ensure any web-facing systems are isolated from the public internet with a secure network boundary and access them with a virtual private network (VPN). If certain servers must be accessible on the public internet, position them behind a <a href=\"https:\/\/azure.microsoft.com\/products\/web-application-firewall\/\">web application firewall (WAF)<\/a>, <a href=\"https:\/\/microsoft.github.io\/reverse-proxy\/articles\/getting-started.html\">reverse proxy<\/a>, or <a href=\"https:\/\/learn.microsoft.com\/azure\/architecture\/reference-architectures\/dmz\/secure-vnet-dmz\">perimeter network<\/a> (also known as a DMZ), which can reduce the risk of vulnerability exploitation in some cases.<\/li>\n<li class=\"wp-block-list-item\">Follow the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/#defending-against-ransomware?ocid=magicti_ta_blog\" target=\"_blank\" rel=\"noreferrer noopener\">defending against ransomware<\/a>&nbsp;guidance in Microsoft\u2019s ransomware as a service blog post, which details how to build credential hygiene as well as how to limit lateral movement using the principle of least privilege.<\/li>\n<li class=\"wp-block-list-item\">Implement <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/how-it-works\">Credential Guard<\/a>, a critical security feature that protects credentials stored in process memory &nbsp;\u2013 in the LSA process <em>lsass.exe<\/em>. Credential Guard is turned on by default in Windows 11. However, if Credential Guard was previously disabled on a device, updating a device to Windows 11 does not override that setting, and Credential Guard will need to be re-enabled. Additionally, Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised. Credential Guard&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/configure?tabs=intune#enable-credential-guard\">can be enabled using Group Policy, the registry, or Microsoft Intune<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Turn on&nbsp;tenant-wide&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection?ocid=magicti_ta_learndoc\">tamper protection<\/a>&nbsp;features&nbsp;to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges. <\/li>\n<li class=\"wp-block-list-item\">For approved RMM systems used in your environment, enforce security settings where possible to implement MFA. If an unapproved RMM installation is discovered in your network, reset passwords for accounts used to install the RMM services. If a System-level account was used to install the software, further investigation may be warranted.<\/li>\n<li class=\"wp-block-list-item\">Configure&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/configure-attack-disruption\">automatic attack disruption<\/a>&nbsp;in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization\u2019s assets, and provide more time for security teams to remediate the attack fully.<\/li>\n<li class=\"wp-block-list-item\">Microsoft Defender XDR customers can turn on&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction?view=o365-worldwide\">attack surface reduction rules<\/a>&nbsp;to prevent common attack techniques used in ransomware attacks: <\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-detections\">Microsoft Defender detections<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"30\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Initial Access<\/td>\n<td>Storm-1175 exploits vulnerable web-facing applications<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Ransomware-linked threat actor detected<br \/>\u2013 Possible Beyond Trust software vulnerability exploitation<br \/>\u2013 Possible exploitation of&nbsp;GoAnywhere MFT vulnerability<br \/>\u2013 Possible SAP NetWeaver vulnerability exploitation&nbsp;Possible exploitation of JetBrains TeamCity vulnerability<br \/>\u2013 Suspicious command execution via ScreenConnect<br \/>\u2013 Suspicious service launched<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Persistence and privilege escalation<\/td>\n<td>Storm-1175 creates new user accounts under administrative groups using the <em>net<\/em> command<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 User account created under suspicious circumstances<br \/>\u2013 New local admin added using Net commands<br \/>\u2013 New group added suspiciously<br \/>\u2013 Suspicious account creation<br \/>\u2013 Suspicious Windows account manipulation<br \/>\u2013 Anomalous account lookups<\/td>\n<\/tr>\n<tr readability=\"8.5\">\n<td>Credential theft<\/td>\n<td>Storm-1175 dumps credentials from LSASS, or uses a privileged position from the Domain Controller to access NTDS.dit and SAM hive<\/td>\n<td readability=\"6\"><strong>Microsoft Defender Antivirus<\/strong> <br \/>\u2013 Behavior:Win32\/SAMDumpz <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Exposed credentials at risk of compromise<br \/>\u2013 Compromised account credentials<br \/>\u2013 Process memory dump<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td>Persistence, lateral movement<\/td>\n<td>Storm-1175 uses RMM tools for persistence, payload delivery, and lateral movement<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Suspicious Atera activity<br \/>\u2013 File dropped and launched from remote location<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td>Execution<\/td>\n<td>Storm-1175 delivers tools such as PsExec or leverages LOLbins like PowerShell to carry out post-compromise activity<\/td>\n<td readability=\"7\"><strong>Microsoft Defender Antivirus<\/strong> <br \/>\u2013 Behavior:Win32\/PsexecRemote <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Hands-on-keyboard attack involving multiple devices<br \/>\u2013 Remote access software<br \/>\u2013 Suspicious PowerShell command line<br \/>\u2013 Suspicious PowerShell download or encoded command execution<br \/>\u2013 Ransomware-linked threat actor detected<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Exfiltration<\/td>\n<td>Storm-1175 uses the synch tool Rclone to steal documents<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Potential human-operated malicious activity<br \/>\u2013 Renaming of legitimate tools for possible data exfiltration<br \/>\u2013 Possible data exfiltration<br \/>\u2013 Hidden dual-use tool launch attempt<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Defense evasion<\/td>\n<td>Storm-1175 disables Windows Defender<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Defender detection bypass<br \/>\u2013 Attempt to turn off Microsoft Defender Antivirus protection<\/td>\n<\/tr>\n<tr readability=\"9.5\">\n<td>Impact<\/td>\n<td>Storm-1175 deploys Medusa ransomware<\/td>\n<td readability=\"8\"><strong>Microsoft Defender Antivirus<\/strong> <br \/>\u2013 Ransom:Win32\/Medusa <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Possible ransomware activity based on a known malicious extension<br \/>\u2013 Possible compromised user account delivering ransomware-related files<br \/>\u2013 Potentially compromised assets exhibiting ransomware-like behavior<br \/>\u2013 Ransomware behavior detected in the file system<br \/>\u2013 File dropped and launched from remote location<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/ai-machine-learning\/microsoft-security-copilot\">Microsoft Security Copilot<\/a> is <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">embedded in Microsoft Defender<\/a> and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.<\/p>\n<p class=\"wp-block-paragraph\">Customers can also <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-agents-defender\">deploy AI agents<\/a>, including the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/agents-overview\">Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:<\/p>\n<p class=\"wp-block-paragraph\">Security Copilot is also available as a <a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/experiences-security-copilot\">standalone experience<\/a> where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/developer\/custom-agent-overview\">developer scenarios<\/a> that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/threat-analytics\">threat analytics<\/a> reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p class=\"wp-block-paragraph\">The following indicators are gathered from identified Storm-1175 attacks during 2026.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"5.5\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<td><strong>First seen<\/strong><\/td>\n<td><strong>Last seen<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96<\/td>\n<td>SHA-256<\/td>\n<td><em>Gaze.exe<\/em> (Medusa Ransomware)<\/td>\n<td>2026-03-01<\/td>\n<td>2026-03-01<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c *Note that we have seen this hash in ransomware intrusions by other threat actors since 2024 as well<\/td>\n<td>SHA-256<\/td>\n<td><em>lsp.exe<\/em> (Rclone)<\/td>\n<td>2024-04-01 &nbsp;<\/td>\n<td>2026-02-18<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086<\/td>\n<td>SHA-256<\/td>\n<td><em>main.exe<\/em> (SimpleHelp)<\/td>\n<td>2026-01-15<\/td>\n<td>2026-01-15<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19<\/td>\n<td>SHA-256<\/td>\n<td><em>moon.exe<\/em> (SimpleHelp)<\/td>\n<td>2025-09-15<\/td>\n<td>2025-09-22<\/td>\n<\/tr>\n<tr>\n<td>185.135.86[.]149<\/td>\n<td>IP<\/td>\n<td>SimpleHelp C2<\/td>\n<td>2024-02-23<\/td>\n<td>2026-03-15<\/td>\n<\/tr>\n<tr>\n<td>134.195.91[.]224<\/td>\n<td>IP<\/td>\n<td>SimpleHelp C2<\/td>\n<td>2024-02-23<\/td>\n<td>2026-02-26<\/td>\n<\/tr>\n<tr>\n<td>85.155.186[.]121<\/td>\n<td>IP<\/td>\n<td>SimpleHelp C2<\/td>\n<td>2024-02-23<\/td>\n<td>2026-02-12<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"references\">References<\/h3>\n<h3 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h3>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/06\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware (Gaze.exe).<br \/>\nThe post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[91],"class_list":["post-60439","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-06T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations\",\"datePublished\":\"2026-04-06T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\"},\"wordCount\":2825,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\",\"keywords\":[\"ransomware\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\",\"name\":\"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\",\"datePublished\":\"2026-04-06T16:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ransomware\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/ransomware\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/","og_locale":"en_US","og_type":"article","og_title":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-06T16:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations","datePublished":"2026-04-06T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/"},"wordCount":2825,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp","keywords":["ransomware"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/","url":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/","name":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp","datePublished":"2026-04-06T16:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-1175-exploitation-1.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"ransomware","item":"https:\/\/www.threatshub.org\/blog\/tag\/ransomware\/"},{"@type":"ListItem","position":3,"name":"Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60439"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60439\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}