HOMETHREATSStorm-1175
APT / THREAT GROUP💰 FINANCIALHIGH

Storm-1175

🇨🇳China-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to command injection and potential RCE. Microsoft Defender researchers identified exploitation activity aligned with TTPs attributed to Storm-1175, including the use of post-compromise techniques that involve creating a group named “ESX Admins” in the domain.

Threat Analysis

Storm-1175 is a high-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Storm-1175 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Storm-1175 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

Storm-1175 — Active Operations March 2026

Storm-1175 is a financial threat actor attributed to China. Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to co...

ACTIVEMEDIUM2026

Intelligence Reports Mentioning Storm-1175

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇨🇳 China
Aliases1
SourceMalpedia

Also Known As

Storm-1175

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Storm-1175 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM