Storm-1175: Zero-Day Ransomware Operations Target Critical Infrastructure

Microsoft Threat Intelligence published detailed findings on April 6, 2026, confirming that Storm-1175, a financially motivated threat actor, has been exploiting zero-day vulnerabilities to deploy Medusa ransomware against healthcare, education, finance, and professional services organizations in the US, UK, and Australia [1]. The group demonstrates a high operational tempo: initial access to full ransomware deployment often occurs within 24 hours [1]. Storm-1175 demonstrates advanced capabilities beyond typical ransomware operators, having weaponized over 16 vulnerabilities across 10 software products since 2023, including two zero-days exploited before public disclosure [1][2].

As of February 2025, Medusa ransomware developers and their affiliates had already impacted over 300 victims across critical infrastructure sectors [5]. Storm-1175's addition of zero-day capabilities to this already prolific ransomware-as-a-service operation represents a significant escalation in threat severity.

Background: Medusa and the Storm-1175 Nexus

Medusa ransomware first appeared in June 2021 as a closed variant before transitioning to an affiliate model [5]. Despite the shift to RaaS, core operations like ransom negotiation remain centrally controlled by the developers [5]. CISA, the FBI, and MS-ISAC issued a joint advisory on March 12, 2025, warning that Medusa had impacted over 300 critical infrastructure organizations across medical, education, legal, insurance, technology, and manufacturing sectors [4][5].

Storm-1175 operates as one of Medusa's most capable affiliates. Microsoft describes the group as financially motivated, with some security researchers assessing potential links to China based on infrastructure and targeting patterns [1][2]. What separates Storm-1175 from the rest of the Medusa affiliate ecosystem is their access to zero-day exploits and their ability to weaponize newly disclosed vulnerabilities in as little as one day [1][3]. The group rotates exploits rapidly during the gap between vulnerability disclosure and widespread patch adoption, catching organizations in that vulnerable window [3].

The Vulnerability Arsenal

Storm-1175's exploit library spans a wide range of enterprise-facing products. Microsoft documented exploitation of the following CVEs [2]:

• Microsoft Exchange: CVE-2023-21529
• PaperCut: CVE-2023-27350, CVE-2023-27351
• Ivanti Connect Secure / Policy Secure: CVE-2023-46805, CVE-2024-21887
• ConnectWise ScreenConnect: CVE-2024-1709, CVE-2024-1708
• JetBrains TeamCity: CVE-2024-27198, CVE-2024-27199
• SimpleHelp: CVE-2024-57726, CVE-2024-57727, CVE-2024-57728
• CrushFTP: CVE-2025-31161
• SmarterMail: CVE-2025-23760

Two of these were true zero-days. CVE-2025-10035, a critical deserialization vulnerability in Fortra GoAnywhere MFT (CVSS 10.0), was exploited by Storm-1175 on September 11, 2025, a full week before Fortra published its security advisory on September 18, 2025 [6]. CVE-2025-23760, targeting SmarterMail, was similarly exploited before public disclosure [1][3].

The group also exhibited a focus on Linux systems in late 2024, including attacks against vulnerable Oracle WebLogic instances [3].

Initial Access

Storm-1175 targets internet-facing web applications almost exclusively [1]. Their preferred method is exploiting unpatched or zero-day vulnerabilities in perimeter assets (T1190) [1]. In the GoAnywhere campaign, the threat actor exploited the deserialization flaw in GoAnywhere MFT's License Servlet to gain initial code execution [6].

Persistence and Tooling

Once inside, Storm-1175 drops remote monitoring and management (RMM) tools for persistence (T1219). Microsoft observed them deploying SimpleHelp and MeshAgent RMM binaries directly under GoAnywhere MFT process directories [6]. The group also wrote .jsp web shell files within GoAnywhere directories to maintain access [6]. In some cases, Cloudflare tunnel binaries were renamed to conhost.exe to blend with legitimate system processes [1].

Discovery and Lateral Movement

Storm-1175 executes user and system discovery commands immediately after gaining access, deploying netscan for network reconnaissance [6]. Lateral movement relies on a mix of living-off-the-land binaries and legitimate tools: PowerShell (T1059.001), PsExec, and Impacket for SMB-based movement (T1021.002) [3]. The group also uses PDQ Deployer, a legitimate software deployment tool, to push payloads across the network (T1570) [1][3].

A particularly effective technique: modifying Windows Firewall policies to enable RDP access across the environment (T1562.001) [3].

Credential Access

Storm-1175 conducts credential dumping (T1003) using Impacket and Mimikatz during intrusions [1][3]. These stolen credentials fuel further lateral movement and privilege escalation.

Defense Evasion

The group configures Microsoft Defender Antivirus exclusions to prevent detection and blocking of ransomware payloads (T1562.001) [3]. Combined with the use of renamed legitimate binaries and encoded PowerShell execution (-enc -noni -nop -w hidden -ep bypass), this approach minimizes the chance of triggering endpoint alerts.

Data Exfiltration and Ransomware Deployment

Before encryption, Storm-1175 uses Bandizip for compression and Rclone for synchronization to cloud resources for data staging and exfiltration (T1041) [1].

Ransomware deployment is handled through PDQ Deployer, which executes a script named RunFileCopy.cmd to distribute and launch Medusa payloads across compromised hosts [1].

Indicators of Compromise

MITRE ATT&CK Mapping

Detection and Hunting Guidance

Perimeter exploit detection: Monitor for anomalous child processes spawning from GoAnywhere MFT, SmarterMail, ConnectWise ScreenConnect, and other products in Storm-1175's target list. Alert on .jsp file creation within application directories where web shells shouldn't exist [6].

RMM tool abuse: Hunt for unauthorized SimpleHelp and MeshAgent installations. Query endpoint telemetry for SimpleHelp binaries spawned by web application processes. Example Defender for Endpoint query: DeviceProcessEvents | where InitiatingProcessFileName in ("java.exe", "w3wp.exe") | where FileName contains "SimpleHelp" [1][6].

PDQ Deployer anomalies: PDQ Deployer is legitimate, but its use in environments where it isn't approved is a red flag. Hunt for RunFileCopy.cmd execution and PDQ Deployer processes initiating connections to endpoints en masse [1].

Credential dumping indicators: Monitor for Mimikatz signatures, LSASS memory access events (Sysmon Event ID 10), and Impacket's secretsdump.py network patterns [1][3].

Data exfiltration: Watch for Rclone execution, particularly with cloud storage provider arguments. Monitor for large outbound HTTPS transfers to unfamiliar domains [1].

Defender exclusion tampering: Alert on registry modifications to Microsoft Defender exclusion paths. Query: DeviceRegistryEvents | where RegistryKey has "Exclusions" [3].

Firewall policy changes: Detect bulk Windows Firewall rule modifications enabling RDP across the environment (T1562.001) [3].

Analysis

Storm-1175 represents a distinct threat class: a financially motivated actor operating in the ransomware space with capabilities that far exceed typical criminal affiliates. The group's access to zero-day exploits, their ability to weaponize disclosed vulnerabilities in as little as one day, and their sub-24-hour attack cycle collectively create an adversary that most organizations are not equipped to outpace [1][3].

The targeting pattern is notable. Healthcare, education, and professional services in the US, UK, and Australia are high-value targets that generate reliable ransom payments while also containing data with potential intelligence value [1]. The CISA advisory confirming 300+ Medusa victims across critical infrastructure sectors reflects the scale of this problem [4][5].

Storm-1175's zero-day usage also signals access to exploit development resources or broker relationships that most RaaS affiliates typically lack. The willingness to use high-value zero-days on ransomware operations suggests either that the financial returns justify the cost, or that the operation serves multiple objectives.

References

[1] https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

[2] https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/

[3] https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

[4] https://www.cisa.gov/news-events/alerts/2025/03/12/cisa-and-partners-release-cybersecurity-advisory-medusa-ransomware

[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

[6] https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/

Hunt Guide: Hunt Report: Storm-1175 / Medusa Ransomware Zero-Day Campaign

Hypothesis: If Storm-1175 is active in our environment, we expect to observe exploitation of internet-facing applications, deployment of SimpleHelp/MeshAgent RMMs, PDQ Deployer usage for lateral movement, and Medusa ransomware precursors in Windows Security logs, Sysmon, and web application logs.

Intelligence Summary: Storm-1175, a financially motivated threat actor with potential China nexus, exploits zero-day vulnerabilities to deploy Medusa ransomware against critical infrastructure within 24 hours of initial access. The group has weaponized 16+ vulnerabilities across 10 products since 2023, including two true zero-days (CVE-2025-10035, CVE-2025-23760), and has contributed to Medusa's 300+ victim count across healthcare, education, and finance sectors.

Confidence: High | Priority: Critical

Scope

• Networks: All internet-facing web applications, particularly GoAnywhere MFT, SmarterMail, ConnectWise ScreenConnect, Ivanti Connect Secure, JetBrains TeamCity, SimpleHelp, CrushFTP, PaperCut, and Microsoft Exchange servers. Include DMZ and internal networks where these applications are deployed.
• Timeframe: Initial sweep: Last 30 days to catch potential compromise. Ongoing: Real-time monitoring with 24-hour aggregation windows for behavioral detections.
• Priority Systems: 1) Internet-facing web applications listed in CVE list 2) Domain controllers and credential stores 3) Backup servers and data repositories 4) Healthcare-specific: EHR systems, PACS servers, medical device management systems 5) Critical data shares containing PHI/PII

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Storm-1175 exploits zero-day and N-day vulnerabilities in internet-facing web applications including GoAnywhere MFT, SmarterMail, ConnectWise ScreenConnect, and others to gain initial access

Splunk SPL:

index=* (sourcetype=iis OR sourcetype=apache OR sourcetype=nginx) ("GoAnywhere" OR "SmarterMail" OR "ScreenConnect" OR "TeamCity" OR "SimpleHelp" OR "CrushFTP" OR "PaperCut") (status>=400 OR cs_uri_query="*../.." OR cs_uri_query="*%2e%2e" OR cs_uri_query="*union+select*" OR cs_uri_query="*<script*") | stats count by src_ip, dest, cs_uri_stem, status | where count > 10

Elastic KQL:

(event.dataset:"iis.access" OR event.dataset:"apache.access" OR event.dataset:"nginx.access") AND (url.path:*GoAnywhere* OR url.path:*SmarterMail* OR url.path:*ScreenConnect* OR url.path:*TeamCity* OR url.path:*SimpleHelp* OR url.path:*CrushFTP* OR url.path:*PaperCut*) AND (http.response.status_code:>=400 OR url.query:*..\/* OR url.query:*%2e%2e* OR url.query:*union+select* OR url.query:*<script*)

Sigma Rule:

title: Storm-1175 Web Application Exploitation Attempts
id: 8f7e3a21-9c4d-4b8a-a123-456789abcdef
status: production
description: Detects exploitation attempts against vulnerable web applications targeted by Storm-1175
references:
    - https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets
logsource:
    category: webserver
    product: windows
detection:
    selection:
        cs-uri-stem|contains:
            - 'GoAnywhere'
            - 'SmarterMail'
            - 'ScreenConnect'
            - 'TeamCity'
            - 'SimpleHelp'
            - 'CrushFTP'
            - 'PaperCut'
        cs-status|gte: 400
    suspicious_patterns:
        cs-uri-query|contains:
            - '../..'
            - '%2e%2e'
            - 'union select'
            - '<script'
            - 'cmd.exe'
            - 'powershell'
    condition: selection and suspicious_patterns
falsepositives:
    - Legitimate security scans
    - Penetration testing
level: high

Focus on POST requests to application endpoints with unusual payloads. Check for child processes spawning from web server processes (w3wp.exe, java.exe)

T1219 — Remote Access Software (Command and Control) [P1]

Storm-1175 deploys SimpleHelp and MeshAgent RMM tools for persistence, often dropped directly under exploited application directories

Splunk SPL:

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11) (Image="*\\SimpleHelp*" OR Image="*\\MeshAgent*" OR TargetFilename="*\\SimpleHelp*" OR TargetFilename="*\\MeshAgent*" OR CommandLine="*SimpleHelp*" OR CommandLine="*MeshAgent*") (ParentImage="*\\java.exe" OR ParentImage="*\\w3wp.exe" OR ParentImage="*\\httpd.exe") | table _time ComputerName EventCode Image ParentImage CommandLine TargetFilename

Elastic KQL:

(event.code:"1" OR event.code:"11") AND (process.executable:*\\SimpleHelp* OR process.executable:*\\MeshAgent* OR file.path:*\\SimpleHelp* OR file.path:*\\MeshAgent* OR process.command_line:*SimpleHelp* OR process.command_line:*MeshAgent*) AND (process.parent.executable:*\\java.exe OR process.parent.executable:*\\w3wp.exe OR process.parent.executable:*\\httpd.exe)

Sigma Rule:

title: Storm-1175 RMM Tool Deployment
id: 9a8b4c32-1d5e-4f9b-b234-567890abcdef
status: production
description: Detects SimpleHelp and MeshAgent RMM tools deployed by Storm-1175
references:
    - https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets
logsource:
    product: windows
    service: sysmon
detection:
    selection_process:
        EventID: 1
        Image|contains:
            - '\SimpleHelp'
            - '\MeshAgent'
    selection_file:
        EventID: 11
        TargetFilename|contains:
            - '\SimpleHelp'
            - '\MeshAgent'
    parent_web:
        ParentImage|endswith:
            - '\java.exe'
            - '\w3wp.exe'
            - '\httpd.exe'
    condition: (selection_process or selection_file) and parent_web
falsepositives:
    - Legitimate RMM deployments
level: high

Alert on any RMM tool spawned by web application processes. Check for RMM binaries in non-standard locations like web directories

T1059.001 — PowerShell (Execution) [P2]

Storm-1175 uses encoded PowerShell with bypass flags for execution and lateral movement

Splunk SPL:

index=* sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 (ScriptBlockText="*-enc*" AND ScriptBlockText="*-noni*" AND ScriptBlockText="*-nop*" AND ScriptBlockText="*-w hidden*" AND ScriptBlockText="*-ep bypass*") | rex field=ScriptBlockText "(?<encoded_command>[A-Za-z0-9+/=]{20,})" | table _time ComputerName ScriptBlockText encoded_command | eval decoded=base64_decode(encoded_command)

Elastic KQL:

event.code:"4104" AND powershell.file.script_block_text:(*-enc* AND *-noni* AND *-nop* AND *-w\ hidden* AND *-ep\ bypass*)

Look for the specific combination of encoding flags used by Storm-1175. Decode Base64 payloads to identify malicious commands

T1570 — Lateral Tool Transfer (Lateral Movement) [P1]

Storm-1175 uses PDQ Deployer to distribute ransomware payloads across the network, executing RunFileCopy.cmd scripts

Splunk SPL:

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype=WinEventLog:Security EventCode=4688) (Image="*\\PDQDeploy*" OR CommandLine="*PDQDeploy*" OR CommandLine="*RunFileCopy.cmd*" OR Image="*\\RunFileCopy.cmd*") | stats count by ComputerName, Image, CommandLine, ParentImage | where count > 5

Elastic KQL:

(event.code:"1" OR event.code:"4688") AND (process.executable:*\\PDQDeploy* OR process.command_line:*PDQDeploy* OR process.command_line:*RunFileCopy.cmd* OR process.executable:*\\RunFileCopy.cmd*)

PDQ Deployer is legitimate but uncommon. Alert on RunFileCopy.cmd execution or mass PDQ deployments to multiple hosts

T1003 — OS Credential Dumping (Credential Access) [P1]

Storm-1175 uses Mimikatz and Impacket for credential dumping operations

Splunk SPL:

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("0x1010", "0x1038", "0x40", "0x1438", "0x143a", "0x1418", "0x1f0fff", "0x1f1fff", "0x1f2fff", "0x1f3fff") NOT SourceImage IN ("*\\wmiprvse.exe", "*\\taskmgr.exe", "*\\procexp64.exe", "*\\procexp.exe", "*\\lsm.exe", "*\\csrss.exe", "*\\wininit.exe", "*\\vmtoolsd.exe") | table _time ComputerName SourceImage TargetImage GrantedAccess

Elastic KQL:

event.code:"10" AND process.name:"lsass.exe" AND winlog.event_data.GrantedAccess:("0x1010" OR "0x1038" OR "0x40" OR "0x1438" OR "0x143a" OR "0x1418" OR "0x1f0fff" OR "0x1f1fff" OR "0x1f2fff" OR "0x1f3fff") AND NOT process.parent.executable:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe)

Monitor for LSASS access from unusual processes. Look for Mimikatz command line patterns and Impacket's secretsdump.py network traffic

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P1]

Storm-1175 modifies Windows Defender exclusions and Windows Firewall rules to enable RDP and prevent ransomware detection

Splunk SPL:

index=* (sourcetype=WinEventLog:Security EventCode=4657 ObjectName="*\\Windows Defender\\Exclusions*") OR (sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational" EventCode=5007) OR (sourcetype=WinEventLog:Security EventCode=4946 OR EventCode=4947 OR EventCode=4948) | table _time ComputerName EventCode ObjectName NewValue SubjectUserName

Elastic KQL:

(event.code:"4657" AND registry.path:*\\Windows\ Defender\\Exclusions*) OR (event.code:"5007" AND event.provider:"Microsoft-Windows-Windows Defender") OR (event.code:("4946" OR "4947" OR "4948") AND event.provider:"Microsoft-Windows-Security-Auditing")

Sigma Rule:

title: Storm-1175 Defender Exclusion Tampering
id: 7b9c5d42-2e6f-5g0c-c345-678901bcdefg
status: production
description: Detects modifications to Windows Defender exclusions by Storm-1175
references:
    - https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4657
        ObjectName|contains: '\Windows Defender\Exclusions'
    condition: selection
falsepositives:
    - Legitimate administrative actions
level: high

Alert on any Defender exclusion changes and bulk firewall rule modifications, especially those enabling RDP (port 3389)

T1041 — Exfiltration Over C2 Channel (Exfiltration) [P2]

Storm-1175 uses Rclone for cloud-based data exfiltration and Bandizip for compression before exfiltration

Splunk SPL:

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\rclone.exe" OR CommandLine="*rclone*" OR Image="*\\bandizip.exe" OR CommandLine="*bandizip*")) OR (sourcetype=proxy (url="*amazonaws.com*" OR url="*blob.core.windows.net*" OR url="*googleapis.com*") bytes_out > 104857600) | table _time ComputerName Image CommandLine DestinationIp DestinationPort bytes_out url

Elastic KQL:

(event.code:"1" AND (process.executable:*\\rclone.exe OR process.command_line:*rclone* OR process.executable:*\\bandizip.exe OR process.command_line:*bandizip*)) OR (url.domain:(*amazonaws.com OR *blob.core.windows.net OR *googleapis.com) AND network.bytes > 104857600)

Monitor for Rclone execution with cloud provider arguments. Alert on large outbound transfers to cloud storage providers

T1505.003 — Server Software Component: Web Shell (Persistence) [P1]

Storm-1175 writes JSP web shells to compromised GoAnywhere MFT and other web application directories

Splunk SPL:

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 (TargetFilename="*.jsp" AND (TargetFilename="*\\GoAnywhere*" OR TargetFilename="*\\Tomcat*" OR TargetFilename="*\\webapps*" OR TargetFilename="*\\wwwroot*")) NOT (Image="*\\java.exe" AND Image="*\\javac.exe") | table _time ComputerName TargetFilename Image ProcessId

Elastic KQL:

event.code:"11" AND file.extension:"jsp" AND file.path:(*\\GoAnywhere* OR *\\Tomcat* OR *\\webapps* OR *\\wwwroot*) AND NOT process.executable:(*\\java.exe OR *\\javac.exe)

Alert on any JSP file creation in web directories by non-Java processes. Review file contents for web shell indicators

T1021.002 — Remote Services: SMB/Windows Admin Shares (Lateral Movement) [P2]

Storm-1175 uses PsExec and Impacket for SMB-based lateral movement across compromised networks

Splunk SPL:

index=* (sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 Authentication_Package=NTLM) OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 (DestinationPort=445 OR DestinationPort=139) (Image="*\\psexec.exe" OR Image="*\\psexesvc.exe" OR CommandLine="*impacket*")) | stats count by src_ip, dest_ip, Account_Name, Image | where count > 10

Elastic KQL:

(event.code:"4624" AND winlog.event_data.LogonType:"3" AND winlog.event_data.AuthenticationPackageName:"NTLM") OR (event.code:"3" AND (destination.port:445 OR destination.port:139) AND (process.executable:*\\psexec.exe OR process.executable:*\\psexesvc.exe OR process.command_line:*impacket*))

Look for SMB authentication from unusual source IPs or service accounts. Monitor for PsExec service installation events

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (CommandLine="*RunFileCopy.cmd*" OR TargetFilename="*RunFileCopy.cmd*" OR Image="*\\RunFileCopy.cmd*") | table _time ComputerName CommandLine Image ParentImage

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11) (Image="*\\conhost.exe" OR TargetFilename="*\\conhost.exe") NOT ParentImage="*\\csrss.exe" | table _time ComputerName Image ParentImage CommandLine MD5

index=* (CommandLine="*netscan*" OR Image="*\\netscan*" OR TargetFilename="*netscan*") | table _time ComputerName CommandLine Image ParentImage

index=* (Image="*SimpleHelp*" OR TargetFilename="*SimpleHelp*" OR CommandLine="*SimpleHelp*") | table _time ComputerName Image CommandLine ParentImage TargetFilename

index=* (Image="*MeshAgent*" OR TargetFilename="*MeshAgent*" OR CommandLine="*MeshAgent*") | table _time ComputerName Image CommandLine ParentImage TargetFilename

index=* (Image="*rclone*" OR CommandLine="*rclone*" OR TargetFilename="*rclone*") | table _time ComputerName CommandLine Image ParentImage

index=* (Image="*bandizip*" OR CommandLine="*bandizip*" OR TargetFilename="*bandizip*") | table _time ComputerName CommandLine Image ParentImage

index=* (Image="*PDQDeploy*" OR CommandLine="*PDQDeploy*" OR ServiceName="PDQDeploy*") | table _time ComputerName Image CommandLine ParentImage

index=* (CommandLine="*mimikatz*" OR CommandLine="*sekurlsa*" OR CommandLine="*lsadump*" OR Image="*mimikatz*" OR TargetFilename="*mimikatz*") | table _time ComputerName CommandLine Image ParentImage

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*.jsp" (TargetFilename="*GoAnywhere*" OR TargetFilename="*webapps*" OR TargetFilename="*wwwroot*") | table _time ComputerName TargetFilename Image

YARA Rules

Storm1175_RMM_Tools — Detects SimpleHelp and MeshAgent RMM tools commonly deployed by Storm-1175

rule Storm1175_RMM_Tools {
    meta:
        description = "Detects RMM tools used by Storm-1175 for persistence"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        reference = "https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets"
        
    strings:
        $s1 = "SimpleHelp" ascii wide
        $s2 = "simple-help" ascii wide
        $s3 = "MeshAgent" ascii wide
        $s4 = "mesh.exe" ascii wide nocase
        $s5 = "Remote Support Solution" ascii wide
        $s6 = "meshagent" ascii wide nocase
        $pdb1 = "SimpleHelp.pdb" ascii
        $pdb2 = "MeshAgent.pdb" ascii
        
    condition:
        uint16(0) == 0x5A4D and filesize < 50MB and (2 of ($s*) or any of ($pdb*))
}

Storm1175_Renamed_Cloudflare — Detects Cloudflare tunnel binaries renamed to conhost.exe by Storm-1175

rule Storm1175_Renamed_Cloudflare {
    meta:
        description = "Detects renamed Cloudflare tunnel binaries used by Storm-1175"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        
    strings:
        $cf1 = "cloudflared" ascii wide
        $cf2 = "Cloudflare" ascii wide
        $cf3 = "tunnel" ascii wide
        $cf4 = "cf-tunnel" ascii wide
        $name = "conhost.exe" ascii wide
        $hex1 = { 43 6C 6F 75 64 66 6C 61 72 65 }
        
    condition:
        uint16(0) == 0x5A4D and ($name and (2 of ($cf*) or $hex1)) and filesize < 100MB
}

Storm1175_JSP_WebShell — Detects potential JSP web shells dropped by Storm-1175 in GoAnywhere directories

rule Storm1175_JSP_WebShell {
    meta:
        description = "Detects JSP web shells used by Storm-1175"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        
    strings:
        $jsp1 = "<%@page import=" ascii
        $jsp2 = "request.getParameter" ascii
        $jsp3 = "java.lang.Runtime" ascii
        $jsp4 = "exec(" ascii
        $jsp5 = "getRuntime()" ascii
        $jsp6 = "processBuilder" ascii
        $sus1 = "cmd.exe" ascii
        $sus2 = "/bin/bash" ascii
        $sus3 = "whoami" ascii
        
    condition:
        filesize < 50KB and $jsp1 and any of ($jsp2,$jsp3,$jsp4,$jsp5,$jsp6) and any of ($sus*)
}

Suricata Rules

SID 1000001 — Detects potential Storm-1175 GoAnywhere MFT exploitation attempts

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Storm-1175 GoAnywhere MFT Exploitation Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/goanywhere/"; http_uri; content:"License"; http_uri; pcre:"/\/goanywhere\/.*License.*Servlet/i"; content:"java"; http_header_names; classtype:web-application-attack; sid:1000001; rev:1;)

SID 1000002 — Detects SimpleHelp RMM tool C2 communication

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm-1175 SimpleHelp RMM C2 Communication"; flow:to_server,established; content:"SimpleHelp"; content:"remote-access"; distance:0; within:50; threshold:type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; sid:1000002; rev:1;)

SID 1000003 — Detects Rclone cloud exfiltration activity

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXFIL Storm-1175 Rclone Cloud Storage Upload"; flow:to_server,established; tls_sni; content:"amazonaws.com"; tls_sni; content:"blob.core.windows.net"; tls_sni; content:"googleapis.com"; byte_test:4,>,104857600,0,relative; classtype:data-loss; sid:1000003; rev:1;)

SID 1000004 — Detects PDQ Deployer communication patterns

alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET LATERAL Storm-1175 PDQ Deployer Lateral Movement"; flow:to_server,established; content:"PDQDeploy"; content:"RunFileCopy.cmd"; distance:0; within:100; threshold:type threshold, track by_src, count 5, seconds 60; classtype:lateral-movement; sid:1000004; rev:1;)

Data Source Requirements

Sources

• Microsoft Security Blog - Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
• BleepingComputer - Microsoft links Medusa ransomware affiliate to zero-day attacks
• The Hacker News - China-linked Storm-1175 exploits zero-days
• CISA Alert - CISA and partners release cybersecurity advisory on Medusa ransomware
• CISA Advisory AA25-071A - Medusa Ransomware
• Microsoft Security Blog - Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability