A cybercrime group, which was tracked as Storm -1175, is exploiting MFT vulnerability with maximum severity in the Medusa ransomware attacks for approximately a month.
Tracked Cve-2025-10035This security defect affects Fortra’s web-based safe transfer goanywhere MFT tool, which is caused by one Deserialization of incredible data weakness In the license serve. This vulnerability can be exploited from far away in low-complications attacks, which do not require user interactions.
Security analysts are now monitoring in Shadowsers Foundation More than 500 GoanyWhere MFT Examples Online exposed, although it is not clear how many already patches have been patches.
While Fortra picked the vulnerability on 18 September without mentioning active exploitation, the security researchers at Watchtower Labs tagged it as an exploitation in the wild, after receiving “reliable evidence” that the CVE-2025–10035 was benefited from 10 September as a zero-day.
Exploited in Medusa ransomware attacks
Today, Microsoft confirmed the report of the Watchtower Labs, stating that a known medusa ransomware is affiliated as it tracks as Hurricane -1175, at least from September 11, 2025, has been exploiting this vulgarity in attacks since September 11, 2025.
“Microsoft defender researchers identified exploitation activity in many organizations, which are associated with strategy, techniques and procedures (TTPs), who are responsible for Hurricane -1175,” Microsoft said,
“For the initial access, the danger actor exploited the then zero-day disorganization vulnerability at the Goyni MFT. To maintain firmness, he misused Remote Monitoring and Management (RMM) tools, especially simplyhalp and meshant.”
In the next stage of the attack, ransomware affiliated launched RMM binergies, used netscan for network reconnaissance, executed commands for user and system discovery, and later transferred in several systems using the microsoft remote desktop client client (MTSC.EXE) through the agreement entered into several systems.
During the attack, he deployed RCLONE in at least one victim’s environment to exfiltrate the stolen files and deployed the Medusa Ransomware payload to encrypse the files of the victims.
In March, CISA issued a joint advice with FBI and Multi-State Information Sharing and Analysis Center (MS-Isac), warning that the Medusa ransomware operation affected over 300 important infrastructure organizations across the United States.
Along with three other cybercrime gangs, Storm -1175 Threat Group was also added to Microsoft in July 2024 to exploit a VMWARE ESXI authentication bypass vulnerability in July 2024, which led to the deployment of Akira and Black Basta Rainmware.
Targeting its Goanywhere MFT server to defend against the Medusa ransomware attacks, Microsoft and Fortra advised admins to upgrade the latest versions. Fortra also asked the customers to determine whether the institutions have been affected, to determine to inspect your log files for stack trace errors with signedobject.getobject string.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-managed base Breach is changing and attacking simulation.
Do not remember the event that will shape the future of your safety strategy
