Microsoft links China-based Storm-1175 to Medusa ransomware zero-day attacks

Microsoft has attributed a series of ransomware attacks exploiting zero-day and n-day vulnerabilities to Storm-1175, a China-based financially motivated cybercriminal group deploying Medusa ransomware payloads. The threat actor has conducted high-velocity attacks targeting unpatched systems, according to Microsoft's threat intelligence division, which identified the group's operational tempo and technical sophistication as distinguishing characteristics. The disclosure adds to growing concerns about the convergence of state-affiliated and criminal cyber operations, with Storm-1175 representing a category of threat actor that maintains infrastructure and capabilities spanning both espionage and profit-driven activities. Microsoft's analysis indicates the group has rapidly incorporated newly disclosed vulnerabilities into attack chains, reducing the window available for defensive patching. The Medusa ransomware variant has been observed in attacks against critical infrastructure, healthcare, and manufacturing sectors globally. Security researchers note that the group's ability to operationalize zero-days within days of disclosure suggests access to vulnerability research capabilities or underground markets for exploit code.