(TLP:CLEAR) Microsoft CTI: China-Linked Threat Actors Target Internet‑Facing Assets in Medusa Ransomware Campaigns

Summary: Microsoft Threat Intelligence reports that the financially motivated cybercriminal group tracked as Storm‑1175 is aggressively exploiting vulnerable, internet‑exposed systems to support rapid Medusa ransomware operations. The threat actor weaponizes both recently disclosed (N‑day) and zero‑day vulnerabilities in web‑facing applications during the short window between disclosure and patch adoption, often moving from initial access to data exfiltration, and finally ransomware deployment within days. In some cases, this attack chain occurred in under 24 hours. Recent activity includes exploitation of more than a dozen vulnerabilities across widely used products and establishing persistence prior to ransomware execution.

Analyst Note: WaterISAC encourages members to review the full Microsoft blog for detailed tactics and affected products. Prioritizing the following mitigations can reduce the risk of compromise, limit the impact of ransomware incidents, and strengthen overall resilience against this high-tempo campaign.

Original Source: https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

Additional Reading:

• Ransomware Resilience – Understanding Ransomware Behaviors and the Typical Ransomware Attack Chain

Related WaterISAC PIRs: 6, 7, 7.1, 8, 10, 10.2, 12