Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: china (12 articles)Clear

Microsoft exposes Storm-1175 - China-based ransomware group deploying Medusa with zero-day exploits in under 24 hours

Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.

Check
Review your internet-facing asset inventory. Storm-1175 specifically scans for exposed web applications running Exchange, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Affected
Organizations running any of: Microsoft Exchange, Ivanti Connect Secure/Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, BeyondTrust, Oracle WebLogic - especially if internet-facing and not fully patched.
Fix
Patch all internet-facing systems immediately - Storm-1175 weaponizes new CVEs within days. Enable tamper protection on Microsoft Defender and set DisableLocalAdminMerge to prevent attackers from adding antivirus exclusions. Monitor for credential theft indicators (LSASS access, WDigest caching). Block Rclone and unauthorized RMM tools at the perimeter. Prioritize alerts for new account creation and web shell deployment.

Chinese hackers exploited TrueConf video conferencing zero-day to backdoor Southeast Asian governments (CVE-2026-3502)

Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.

Check
Check if your organization uses TrueConf for video conferencing, especially in on-premises deployments.
Affected
TrueConf Windows client versions 8.1.0 through 8.5.2. On-premises deployments are at highest risk since the attack requires control of the TrueConf server.
Fix
Update TrueConf Windows client to version 8.5.3 or later. Audit TrueConf servers for unauthorized modifications. Check endpoints for IOCs: unsigned trueconf_windows_update.exe, files named poweriso.exe or 7z-x64.dll, and connections to 43.134.90.60, 43.134.52.221, or 47.237.15.197.