Threat actors from China, which hosts more hacking groups than any other country, are accelerating ransomware attacks by chaining dozens of vulnerabilities and compressing the entire kill chain into hours. A new report from Microsoft Threat Intelligence sheds light on how one group, tracked as Storm-1175, is turning exposed systems into fast-moving ransomware targets.
-
Chinese hacking group Storm-1175 is compressing ransomware attacks from days into hours by exploiting vulnerabilities before patches are deployed.
-
The group has weaponized 16+ vulnerabilities since 2023, including zero-days exploited up to a week before public disclosure.
-
Attackers deploy Medusa ransomware and hide their activity using legitimate enterprise tools like PowerShell and remote monitoring software.
The Storm-1175 campaign adds a new dimension to the attacks – speed. According to Microsoft, Storm-1175 runs high-tempo campaigns that deliberately target the gap between vulnerability disclosure and patch adoption.
Since 2023, the attackers have exploited more than 16 vulnerabilities across widely used enterprise platforms, including Microsoft Exchange, ConnectWise tools, and file transfer software. In several cases, they sometimes weaponized zero-day flaws up to a week before public disclosure.
Once Storm-1175 gains access, it wastes no time. The group establishes persistence by creating new user accounts, deploying web shells, or legitimate remote monitoring and management (RMM) software for lateral movement. They begin credential theft almost immediately, though the endgame is deploying the Medusa ransomware.
In its research, Microsoft discovered that the group leverages tools like PowerShell, PsExec, and Impacket for lateral movement, modifies Windows firewall policy rules to enable remote access, and deploys utilities such as PDQ Deploy to push ransomware across compromised networks.
Besides Windows, Storm-1175 has also shown it can go after Linux environments. In late 2024, Microsoft observed the group exploiting vulnerable Oracle WebLogic instances across several organizations, although they were unable to identify the exact flaw that was exploited in those attacks.
Curious what others think about this story? Contribute your thoughts to the debate below.
Targets span multiple sectors, including healthcare, education, finance, and professional services across the US, UK, and Australia. However, the researchers stress that the common thread isn’t industry, it’s exposure. If an unpatched system sits on the internet, it comes into the group’s crosshairs.
Also worrying is the use of legitimate enterprise tools that give attackers a way to hide in plain sight by routing malicious activity through trusted, encrypted channels and making detection far more difficult for defenders.
Follow us
Microsoft has provided indicators of compromise (IoCs) for these attacks along with mitigation and protection guidance.
The activity fits the broader pattern of a recent surge in increasingly aggressive tactics by China-linked actors. Just last week, security researchers warned about the resurgence of the notorious Chinese state-backed threat group TA416, which brings with it new, refined tactics to target the EU and NATO.
There have also been multiple incidents where Chinese attackers have targeted internet-facing systems and critical enterprise infrastructure. Researchers recently blew the lid off a China-linked campaign that abuses legitimate services and cloud platforms for covert communications.
Chinese hackers have also been found embedded inside telecom networks for long-term espionage.
Unlock more exclusive Cybernews content on YouTube.
