Microsoft flags China-based hackers using vicious new 'rapid attack' zero-days to launch ransomware at targets across the world

News
By published

The window to patch known flaws is shrinking, Microsoft warns

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Storm-1175 rapidly moves from access to ransomware deployment
  • Exploits zero-days and n-days across multiple products
  • Targets healthcare, finance, education, and professional services

Chinese-speaking hacking collective Storm-1175 is moving fast, going from initial access to full system compromise and data exfiltration in weeks, and sometimes in less than 24 hours, experts have warned.

A new report from Microsoft claims the group was seen leveraging multiple flaws, both zero-days and n-days, in their activities. In some cases, they would even chain various flaws together for better outcomes.

As per the report, Storm-1175 is not a state-sponsored actor, but rather a standalone group interested in profit. They are targeting primarily healthcare organizations, education firms, professional services providers, and companies in the finance sector. Victims are mostly located in the United States, United Kingdom, and Australia.

Article continues below

Dozens of vulnerabilities

The key takeaway here is speed at which the group operates: “Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours,” the researchers said. “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful.”

For initial access, the group slaloms between zero-days and n-days. For zero-days, they were seen abusing bugs even a week before public disclosure, and for n-days, they would try to exploit it as soon as possible - giving defenders very little time to deploy patches and mitigations.

So far more than 16 vulnerabilities were identified as being exposed, affecting 10 products. These include Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708).

Other notable mentions include bugs in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), CrushFTP (CVE‑2025‑31161), SmarterMail (CVE-2025-52691), and BeyondTrust (CVE-2026-1731).

After breaking in, the crooks would deploy a myriad of different tools to enable lateral movement, persistence, and stealth. Before deploying the Medusa ransomware variant, they would disable any antivirus or endpoint protection tools installed.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.