“While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure,” Microsoft said in a blog post. “The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity.”
Microsoft said the group has exploited more than 16 vulnerabilities across widely used enterprise products since 2023 and, in several cases, chained exploits to establish persistence, steal credentials, tamper with security tools, and speed ransomware deployment.
“What we’re seeing here is the death of the traditional ‘dwell time’ narrative,” said Sakshi Grover, senior research manager for security services at IDC Asia Pacific. “This is no longer about attackers sitting quietly in the network. It is about speed and disciplined execution. Storm-1175 is operating like a well-oiled pipeline. Initial access, escalation, lateral movement, exfiltration, and ransomware deployment, all compressed into a day. Most enterprises are simply not built for that pace.”
