National Cyber Warfare Foundation (NCWF)

Storm-1175
0 user ratings		2025-10-11 10:17:43
blscott

Executive summary


Storm-1175 is a financially motivated threat actor tracked by Microsoft that specializes in exploiting public-facing applications for initial access and has deployed Medusa ransomware in observed intrusions. In September–October 2025, Microsoft attributed active exploitation of a critical GoAnywhere MFT deserialization flaw (CVE-2025-10035) to Storm-1175; in at least one victim environment this activity culminated in Medusa ransomware deployment. Dark Reading+3Microsoft+3The Hacker News+3



Recent activity: GoAnywhere MFT zero-day




  • Vulnerability: CVE-2025-10035 (critical, CVSS 10.0) in GoAnywhere MFT’s License Servlet enables deserialization leading to command injection/RCE. Microsoft




  • Attribution: Microsoft observed exploitation aligned to Storm-1175 beginning September 11, 2025. Microsoft




  • Outcome: In at least one case, the actor deployed Medusa ransomware. Microsoft+1




  • Patching: Fortra released fixes on September 18, 2025; defenders are urged to upgrade or remove public exposure. Microsoft





TTPs observed in the 2025 campaign


Initial access




  • Exploitation of CVE-2025-10035 against internet-exposed GoAnywhere MFT. Microsoft




Persistence & C2




  • Dropped and abused RMM tools SimpleHelp and MeshAgent; creation of .jsp files within GoAnywhere directories; use of Cloudflare tunnel for C2. Microsoft




Discovery & Lateral movement




  • User/system discovery, network scanning (e.g., netscan); lateral movement via mstsc.exe. Microsoft




Exfiltration & Impact




  • Rclone for data exfiltration; Medusa ransomware deployment. Microsoft




Broader context




  • Microsoft has previously characterized Storm-1175 as a financially motivated actor linked with ransomware operations against exposed services and ESXi environments. Microsoft+1





Detection & hunting cues (high-signal)


Microsoft shared KQL hunting logic and alert names in Defender/XDR for this activity (e.g., Possible exploitation of GoAnywhere MFT vulnerability; anomalous PowerShell/cmd patterns executed under GoAnywhere Tomcat context). Consider pivoting on unusual PowerShell/cmd launched by GoAnywhere, new .jsp in app dirs, unexpected RMM binaries, and Rclone usage. Microsoft


Comments
new comment
Nobody has commented yet. Will you be the first?
  




This link is from a restricted area of the forums.
Forum


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.