| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to command injection and potential RCE. Microsoft Defender researchers identified exploitation activity aligned with TTPs attributed to Storm-1175, including the use of post-compromise techniques that involve creating a group named “ESX Admins” in the domain.
There are currently no families associated with this actor.
| 2025-10-06
⋅
Microsoft
⋅
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability Medusa Storm-1175 |