{ "Event": { "analysis": "1", "date": "2026-04-06", "extends_uuid": "", "info": "[Threat Intel] Storm-1175 focuses gaze on vulnerable web-facing assets in high ...", "protected": false, "publish_timestamp": "1775975061", "published": true, "threat_level_id": "2", "timestamp": "1775975061", "uuid": "b3d1f8c7-7238-48c9-ae2f-4e2650932591", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Storm-1175\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"medusa\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530807", "to_ids": false, "type": "link", "uuid": "ddd97a7a-0f9d-4b8e-8c28-b4c5bd761554", "value": "https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775530807", "to_ids": false, "type": "text", "uuid": "db70b320-cab1-4f7f-8dad-9805ea400e30", "value": "The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor\u2019s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775530807", "to_ids": false, "type": "text", "uuid": "5e40226a-f240-4b8e-9134-7f82221e783f", "value": "Name: Storm-1175 focuses gaze on vulnerable web-facing assets in high ...\nAuthor: AlienVault\nAdversary: Storm-1175\nTags: [\"psexec\", \"medusa\", \"remote access\", \"ransomware\", \"storm-1175\", \"exploit\"]\nTgtd countries: []\nMlwr families: [\"Medusa\"]\nAttack_ids: [\"\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1775971503", "to_ids": false, "type": "threat-actor", "uuid": "f1c3cd65-1a52-4373-9bd5-e60e696273f8", "value": "Storm-1175", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Storm-1175\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "68a8f43c-170b-44cd-8ec4-76cc5d4e119c", "value": "CVE-2023-21529" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "85aaf7dd-16c4-43f6-8f57-5dc36c80280f", "value": "CVE-2023-27350" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "cbcd90e4-f103-4654-b5a7-d5683d7bd2d4", "value": "CVE-2023-27351" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "22a8f530-49d5-4298-af50-7a41a3283c38", "value": "CVE-2023-46805" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "39461b23-74d9-48fb-891e-fc7908d7711f", "value": "CVE-2024-1708" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "1dd8ae7e-a6b7-4eba-b837-fcd522680fa1", "value": "CVE-2024-1709" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "dd373c35-4d3c-42ca-9ca6-99d7a6356586", "value": "CVE-2024-21887" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "a8e5783a-5905-4441-9991-8da6fcab60fb", "value": "CVE-2024-27198" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "c64722a7-2a81-46f8-a24c-2da910758439", "value": "CVE-2024-27199" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "6926cb30-7617-4b58-8201-9a906f2fbfcb", "value": "CVE-2024-57726" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "3c9479c1-9cd3-43f6-852b-7e4cb320292a", "value": "CVE-2024-57727" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "8992918a-04fa-4e59-b9dc-da5a38e55be0", "value": "CVE-2024-57728" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "241941f9-22b4-4654-9ab3-4bead5cd1bf4", "value": "CVE-2025-10035" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "ab9fd79a-c2f5-49bc-9ae6-552a87e47789", "value": "CVE-2025-31324" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "58740c87-4c33-4560-8aa4-b01d50268667", "value": "CVE-2025-52691" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "2b355723-513b-4470-8bcb-b88a9dec2850", "value": "CVE-2026-1731" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530808", "to_ids": false, "type": "vulnerability", "uuid": "4e6b4aeb-de06-4a70-8470-2737a102c70f", "value": "CVE-2026-23760" }, { "category": "Payload delivery", "comment": "Gaze.exe (Medusa Ransomware) No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973335", "to_ids": true, "type": "sha256", "uuid": "846a3a01-0b96-4d11-b7fe-3e44635b8993", "value": "0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "moon.exe (SimpleHelp) No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973336", "to_ids": true, "type": "sha256", "uuid": "73d5c680-b09e-401a-bfdb-8ac60f882600", "value": "5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "main.exe (SimpleHelp) No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973338", "to_ids": true, "type": "sha256", "uuid": "a7e46db4-625c-4a78-b574-93ce0bd9a196", "value": "e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SimpleHelp C2", "deleted": false, "disable_correlation": false, "timestamp": "1775974289", "to_ids": true, "type": "ip-dst", "uuid": "abcf9ac6-c5d7-40a3-8ed8-b16780877cba", "value": "185.135.86.149", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SimpleHelp C2", "deleted": false, "disable_correlation": false, "timestamp": "1775974310", "to_ids": true, "type": "ip-dst", "uuid": "110306bd-74a2-4522-b025-cfacce6f29e9", "value": "134.195.91.224", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SimpleHelp C2", "deleted": false, "disable_correlation": false, "timestamp": "1775974331", "to_ids": true, "type": "ip-dst", "uuid": "89dfbdd5-6c33-493e-a444-951447dae0b0", "value": "85.155.186.121", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974353", "uuid": "d5a336be-fced-4aee-9e85-50cd9b5d518d", "Attribute": [ { "category": "Payload delivery", "comment": "Rclone - note that we have seen this hash in ransomware intrusions by other threat actors since 2024 as well", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974353", "to_ids": true, "type": "md5", "uuid": "2e94acb7-b08c-4c85-992a-894b5690f811", "value": "9f829f7343d5d5da7c397fa6efda4a4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rclone - note that we have seen this hash in ransomware intrusions by other threat actors since 2024 as well", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973335", "to_ids": true, "type": "sha1", "uuid": "ed39cdd0-14b7-422d-a645-8e2a941f3810", "value": "211500fa181ee200bf9bdd42a1ab0288a7f0cf69", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rclone - note that we have seen this hash in ransomware intrusions by other threat actors since 2024 as well", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973335", "to_ids": true, "type": "sha256", "uuid": "4a37c2ac-7ea2-4a06-9542-8332b492ea4e", "value": "9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775973099", "to_ids": true, "type": "ssdeep", "uuid": "d4e72dd9-b7d2-4385-9103-6fb3d311a19e", "value": "393216:u3v91xBH8/XZABzM6LtKK0YrCkznbx07Op:uffxBH8/uZM6xKrYW606" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775973099", "to_ids": false, "type": "size-in-bytes", "uuid": "dcef8f37-4255-4131-9841-714f25a08359", "value": "57424896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775973099", "to_ids": true, "type": "vhash", "uuid": "81165d31-08d5-4d6b-90ad-9a52adb0cbb9", "value": "057086655d55551d14155az2f!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775973099", "to_ids": true, "type": "filename", "uuid": "f82680ce-6ef2-4be5-a346-69de405f1bd6", "value": "rclone.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775973099", "to_ids": false, "type": "text", "uuid": "35acb571-3f6a-4015-ad45-0c4e1cdf5b3d", "value": "Rclone - note that we have seen this hash in ransomware intrusions by other threat actors since 2024 as well\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/70\nFirst Submission:2024-01-24T16:57:12.000000+00:00\nLast Submission:2026-04-08T19:06:04.000000+00:00" } ] } ] } }