A cybercriminal group known as Storm-1175 has been linked by Microsoft Threat Intelligence to the exploitation of a critical vulnerability in GoAnywhere MFT, a managed file transfer service. This exploitation has led to multi-stage attacks, including ransomware deployment, marking a significant escalation in the threat landscape.
Microsoft Links GoAnywhere Zero-Day to Storm Ransomware
Microsoft’s findings, detailed in a blog post on Monday, September 25, add to the growing body of evidence suggesting that the vulnerability in Fortra’s file-transfer service, identified as CVE-2025-10035, was actively exploited as a zero-day before it was officially disclosed and patched on September 18.
Despite the increasing evidence, Fortra has yet to publicly acknowledge active exploitation of the vulnerability. The company’s last update to its security advisory on September 18 included indicators of compromise, but further inquiries have gone unanswered.
Storm-1175’s Tactics and Techniques
According to Microsoft, Storm-1175, a financially motivated cybercrime group with a history of exploiting public vulnerabilities to deploy Medusa ransomware, leveraged CVE-2025-10035 to achieve remote code execution.
Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, explained that the attackers installed remote monitoring tools such as SimpleHelp and MeshAgent, dropped web shells, and moved laterally across networks using built-in Windows utilities. In one documented case, the intrusion resulted in data theft via Rclone and the deployment of Medusa ransomware.
Corroborating Evidence and Industry Concerns
Microsoft’s research reinforces earlier findings from firms like watchTowr, which reported credible evidence of active exploitation of the GoAnywhere vulnerability as far back as September 10, predating Fortra’s reported discovery date.
Ben Harris, founder and CEO at watchTowr, emphasized the severity of the situation: “Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra.”
Harris further criticized Fortra’s lack of transparency, particularly regarding how attackers accessed private keys, a detail researchers flagged as concerning. He stated, “Customers deserve transparency, not silence.”
Government Acknowledgment and Impacted Sectors
Federal cyber authorities have also confirmed the active exploitation of the GoAnywhere vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-10035 to its known exploited vulnerabilities catalog on September 29, citing its use in ransomware campaigns.
DeGrippo noted that Storm-1175’s attacks are opportunistic, impacting organizations across various sectors, including transportation, education, retail, insurance, and manufacturing. She added, “Their tactics reflect the broader pattern we’re seeing, which is blending legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft.”
Past Incidents and the Need for Vigilance
While the exact number of impacted organizations remains undisclosed, Fortra customers have experienced similar situations before. A zero-day vulnerability in the same file-transfer service was widely exploited two years ago, leading to attacks on over 100 organizations. This history underscores the critical need for vigilance and proactive security measures among GoAnywhere MFT users.
