Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A Medusa affiliate is responsible for an ongoing hacking campaign active since at least 11 September, as Fortra has yet to provide answers, an expert says.
Like many companies in the cyber security sphere, Microsoft has been looking closely at reports of active exploitation of a recently disclosed vulnerability in Fortra’s GoAnywhere MFT file transfer platform, and what it has found is that exploitation is in fact happening, and it’s a ransomware actor behind the malicious activity.
“Microsoft Defender researchers identified exploitation activity in multiple organisations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,” Microsoft said in a 6 October blog post.
“Related activity was observed on September 11, 2025.”
Storm-1175 is a known affiliate of the Medusa ransomware-as-a-service operation, a hacking group that hires its ransomware platform to anyone willing to pay a cut of any criminal profits.
Storm-1175’s current activity operates in multiple stages, first exploiting what was – initially, at least – the zero-day deserialisation vulnerability in GoAnywhere MFT that would eventually be disclosed as CVE-2025-10035 about a week after the initial compromise.
The actor then deployed a pair of remote monitoring and management (RMM) tools, SimpleHelp and MeshAgent, to maintain persistence before executing user and system recovery commands alongside tools such as netscan to perform network discovery. Lateral movement was gained, and the actor continued to use RMM tools, in this case, to create their command and control infrastructure.
“During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment,” Microsoft said.
“Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.”
Benjamin Harris, watchTowr CEO and founder, said this was exactly what many had been fearing for weeks.
“Just weeks after we confirmed evidence of in-the-wild exploitation of CVE-2025-10035, Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared,” Harris told Cyber Daily.
“Organisations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra. Microsoft’s confirmation now paints a pretty unpleasant picture – exploitation, attribution, and a month-long head start for the attackers. What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organisations left in the dark for so long?
“Customers deserve transparency, not silence. We hope they will share in the very near future so affected or potentially affected organisations can understand their exposure to a vulnerability that is being actively exploited in the wild.”
Fortra has not updated its advisory since it was initially published on 18 September. You can read Microsoft’s full vulnerability analysis here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
