China-based actor Storm-1175 runs fast ransomware attacks, exploiting new flaws to breach systems and quickly deploy Medusa ransomware.

China-based actor Storm-1175 carries out fast, financially driven ransomware attacks by exploiting newly disclosed vulnerabilities before organizations patch them. The group targets exposed systems and quickly moves from initial access to data theft and Medusa ransomware deployment, sometimes within 24 hours. The financially motivated group mainly targets sectors such as healthcare, education, finance, and services across the US, UK, and Australia. The attackers often chain exploits, create new accounts for persistence, move laterally using remote tools, steal credentials, and weaken security defenses. Their speed and focus on unpatched systems make them highly effective.

Microsoft researchers report that Storm-1175 quickly exploits newly disclosed flaws in web-facing systems to gain access. Since 2023, the group has targeted many platforms, including Microsoft Exchange, Ivanti, ConnectWise, JetBrains, and others. It often weaponizes vulnerabilities within days, or even one day, before organizations apply patches.

“Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access.” reads the report published by Microsoft. “Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:

• CVE-2026-1731 (BeyondTrust)”
• CVE-2023-21529 (Microsoft Exchange)
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
• CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
• CVE‑2025‑31161 (CrushFTP)
• CVE-2025-10035 (GoAnywhere MFT)
• CVE-2025-52691 and CVE-2026-23760 (SmarterMail)

The attackers also chain multiple exploits to achieve deeper access, such as remote code execution, and have targeted both Windows and Linux systems. In some cases, the threat actor used zero-days even before public disclosure, showing advanced capabilities. By focusing on unpatched systems and acting fast, Storm-1175 maximizes impact and maintains a strong advantage over defenders.

Storm-1175 chains multiple exploits to gain deeper access, as seen in attacks on Microsoft Exchange where it moved from initial access to remote code execution. The group also targets Linux systems and has used zero-day flaws before public disclosure, showing advanced skills.

After gaining access, it installs web shells or remote tools, creates admin accounts, and moves laterally using tools like PowerShell, PsExec, RDP, and Cloudflare tunnels. It also abuses legitimate RMM tools and software like PDQ Deployer and Impacket to spread across networks. The attackers can deploy ransomware in as little as one day, highlighting their speed and efficiency.

Storm-1175 steals credentials using tools like Impacket and Mimikatz, targeting LSASS and enabling WDigest caching to capture passwords. After gaining admin access, it extracts credentials from backups and pivots to domain controllers to access Active Directory and system data.

The group weakens security by modifying antivirus settings and adding exclusions to let ransomware run undetected. It then steals data using tools like Rclone and compresses files for exfiltration.

“Storm-1175 modifies the Microsoft Defender Antivirus settings stored in the registry to tamper with the antivirus software and prevent it from blocking ransomware payloads; in order to accomplish this, an attacker must have access to highly privileged accounts that can modify the registry directly.” continues the report. “For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access.”

Finally, it deploys Medusa ransomware across the network using tools like PDQ Deployer or Group Policy, completing the attack.

Microsoft provided Indicators of compromise (IoCs) for these attacks along with mitigation and protection guidance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Storm-1175)

Bell Ambulance confirms a February 2025 breach affecting 238,000 people, exposing personal, financial, and health information.

Nearly 238,000 individuals are impacted by a February 2025 Bell Ambulance data breach. Bell Ambulance is a U.S.-based emergency medical services provider offering ambulance transport, paramedic care, and patient support. It serves communities with urgent medical response, interfacility transfers, and non-emergency transport, focusing on patient safety and timely care.

On February 13, 2025, Bell Ambulance detected unauthorized access to its network and started investigating the incident with the help of forensic specialists. Investigation confirmed data exposure, and the company started reviewing affected systems.

The medical services provider disclosed the security breach on April 14, after the Medusa ransomware group claimed responsibility for the attack and the theft of over 219 GB of data. The ransomware group has leaked the allegedly stolen data.

The organization completed the review on February 20, 2026. This week, Bell Ambulance reported the incident to the Maine Attorney General, revealing that attackers accessed its network between February 7 and 14, 2025.

“On February 13, 2025, we became aware of unauthorized activity on our computer network and immediately engaged third-party forensic specialists to determine the full nature and scope of the incident. This investigation confirmed an unauthorized individual accessed data within the Bell network. We then began a thorough review of the impacted portions of our network to determine the type of information contained therein and to whom the information related.” reads the data breach notification letter shared with the Maine Attorney General Office. “While that review continued, Bell notified those individuals it was able to identify and for whom Bell had reliable address information on April 18, 2025. Additional individuals were identified and notified on January 15, 2026. On February 20, 2026, the review was completed and Bell confirmed information related to you was impacted.”

The data breach impacted 237830 individuals, exposing names, Social Security numbers, birth dates, driver’s licenses, financial, medical, and health insurance information. Bell completed its investigation on February 20, 2026, and issued notifications to those impacted.

In response to the incident, Bell Ambulance reset all passwords, secured accounts, and completed a full investigation. The organization offers the impacted individuals 12 months of free credit monitoring and identity protection. Bell advises monitoring credit reports and account statements, reporting suspicious activity, and following enclosed guidance to protect personal information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

North Korea’s Lazarus Group used Medusa ransomware in an attack on an unnamed Middle East organization, researchers report.

The North Korea-linked Lazarus APT Group, also known as Diamond Sleet and Pompilus, has been spotted deploying Medusa ransomware against an unnamed organization in the Middle East, according a new report from the Symantec and Carbon Black Threat Hunter Team.

“North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families. However, the Symantec and Carbon Black Threat Hunter Team has uncovered evidence North Korean actors using Medusa in an attack on a target in the Middle East.” reads the report published by Symantec and Carbon Black Threat Hunter Team. “The same attackers also mounted an unsuccessful attack against a healthcare organization in the U.S.”

Medusa, a ransomware-as-a-service launched in 2023 and operated by the Spearwing group, allows affiliates to deploy the malware in exchange for a share of ransom payments. It has been linked to over 366 claimed attacks. Since early November 2025, its leak site has listed four U.S. healthcare and non-profit victims, including a mental health nonprofit and a school for autistic children. Average ransom demands reached $260,000.

North Korea’s Lazarus subgroup Stonefly (aka Andariel) has shifted from traditional espionage to ransomware-driven extortion in recent years. Its role became public in July 2025, when U.S. authorities indicted alleged member Rim Jong Hyok over attacks on American hospitals. Prosecutors said ransomware proceeds funded espionage targeting defense, tech, and government sectors in the U.S., Taiwan, and South Korea. Despite charges and a $10 million reward, activity continued, including financially motivated intrusions in 2024 and reported collaboration with the Play ransomware group.

In current campaigns, Lazarus deploys tools such as Comebacker, Blindingcan, ChromeStealer, Mimikatz, and other custom malware. While the Medusa attacks are attributed to Lazarus, it remains unclear which subgroup is responsible, as the toolset overlaps with groups like Pompilus.

“The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated.” concludes the report that provides Indicators of Compromise (IoCs). “North Korean actors appear to have few scruples about targeting organizations in the U.S. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus Group)