High

Since 2023, the group has exploited more than 16 vulnerabilities across widely used platforms, including Microsoft Exchange, Ivanti appliances, ConnectWise ScreenConnect, JetBrains TeamCity, CrushFTP, Fortra GoAnywhere MFT, and SmarterMail. Notably, CVE-2025-10035 and CVE-2026-23760 were exploited as zero-days before disclosure. The group has also recently expanded its focus to Linux systems, including Oracle WebLogic servers.

Post-compromise, Storm-1175 establishes persistence by creating new user accounts, deploying web shells, or using legitimate remote monitoring and management (RMM) tools. It conducts credential theft, disables or evades security controls, and moves laterally using tools like PowerShell, PsExec, Impacket, and PDQ Deployer. Techniques such as credential dumping (via Mimikatz), modifying firewall rules to enable RDP, and adding antivirus exclusions are commonly observed.

For data exfiltration, the group uses tools like Rclone, while utilities such as Bandizip assist in data collection. A key trend is the abuse of legitimate RMM tools (e.g., AnyDesk, Atera, MeshAgent), allowing attackers to blend malicious activity with normal network traffic and evade detection.

Overall, Storm-1175’s success stems from its speed, adaptability, and strategic use of trusted tools, highlighting the critical need for timely patching, strong monitoring, and improved detection of dual-use software in enterprise environments.

Impact

• Data Exfiltration
• Credential Theft
• Lateral Movement
• System Compromise

Indicators of Compromise

IP

• 185.135.86.149
• 134.195.91.224
• 85.155.186.121

MD5

• 9f829f7343d5d5da7c397fa6efda4a4e

SHA-256

• 9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c

SHA1

• 211500fa181ee200bf9bdd42a1ab0288a7f0cf69

Remediation

• Apply security patches immediately, especially for internet-facing systems, to reduce exposure to both zero-day and recently disclosed vulnerabilities
• Continuously scan and inventory external assets to identify and remediate exposed services before attackers can exploit them
• Implement multi-factor authentication (MFA) across all critical systems, particularly for remote access and administrative accounts
• Restrict and monitor the use of RMM tools to prevent abuse, allowing only approved tools and enforcing strict access controls
• Use network segmentation to limit lateral movement and contain potential breaches within smaller zones
• Monitor for suspicious use of legitimate tools like PowerShell, PsExec, and Impacket to detect living-off-the-land activity
• Enable advanced endpoint detection and response (EDR) solutions to identify abnormal behavior and ransomware activity early
• Regularly audit user accounts and remove unauthorized or newly created accounts to prevent persistence
• Enforce least privilege access to minimize the impact of compromised credentials
• Monitor and block unusual outbound traffic to detect and prevent data exfiltration attempts
• Protect backups by keeping them offline or immutable to ensure recovery in case of ransomware deployment
• Regularly review and harden firewall rules, especially to restrict unnecessary RDP access
• Validate and monitor antivirus configurations to prevent unauthorized exclusions being added
• Conduct security awareness and incident response drills to improve readiness against fast-moving attacks