Medusa‑linked Storm‑1175 conducts fast‑moving attacks that escalate quickly to ransomware
Microsoft said Storm-1175 has been deploying n-day and zero-day exploits in high-velocity campaigns and can move from initial access to data exfiltration and Medusa ransomware deployment within days, and in some cases within 24 hours. The activity heavily impacted organizations in health care, education, professional services and finance across Australia, the United Kingdom and the United States.
Microsoft observed the group exploiting more than 16 vulnerabilities across products including Exchange, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, SmarterMail, GoAnywhere and BeyondTrust, showing that the actor routinely rotates quickly between newly disclosed exposed services rather than relying on a single access path.
After exploitation, the group has been seen creating new accounts, deploying remote monitoring and management tools, stealing credentials, and tampering with security controls before encrypting systems. That combination makes the campaign operationally important because the ransomware stage is only the final part of a broader intrusion chain.
Iran‑linked actors launch widespread password spraying attacks against Microsoft 365 accounts
Security researchers reported an Iran-linked password spraying campaign targeting Microsoft 365 tenants, impacting hundreds of organizations across multiple sectors. Instead of focusing on one user, the attackers systematically tried commonly used passwords across many accounts to increase the chance of success while avoiding traditional lockout thresholds.
In the observed activity, the attackers targeted Microsoft 365 login endpoints, used infrastructure such as VPNs and Tor to disguise their origin, and focused on organizations in government, technology, energy and private-sector environments. Successful authentication could provide access to email, internal data and other cloud resources inside compromised tenants.
This is a cloud-native identity attack because it does not rely on malware or software vulnerabilities but instead exploits weak authentication practices and inconsistent identity controls. The broader risk is that attackers can gain access with valid credentials and then move to mailbox access, data exfiltration or further compromise without triggering traditional endpoint-focused alerts.
Device code phishing campaign abuses Microsoft 365 authentication without harvesting passwords
Microsoft documented a widespread phishing campaign that abused the legitimate device code authentication flow to compromise organizational accounts at scale. The campaign used automation and dynamic code generation so the code was created only when the victim clicked, which avoided the normal 15-minute expiration problem that limits older device-code phishing attempts.
The attack chain used phishing lures, redirect infrastructure on trusted cloud platforms and legitimate microsoft.com/devicelogin prompts. When the victim completed the sign-in and MFA flow, the attacker received valid access and refresh tokens and then used them for email access, inbox-rule persistence and Microsoft Graph reconnaissance.
This is operationally important because it is a cloud-native compromise path: it does not require malware, a local exploit or stolen credentials. Password resets alone do not automatically remove the attacker’s token-based access, so defenders may need to revoke active sessions and harden the flow itself.
LucidRook malware deployed in spear‑phishing attacks against NGOs and academic targets in Taiwan
LucidRook is a newly identified Lua-based malware family used in spear-phishing campaigns against nongovernmental organizations and suspected universities in Taiwan. Cisco Talos attributed the activity to a threat cluster it tracks as UAT-10362 and described the actor as operationally mature.
Talos observed two infection chains, including one based on LNK shortcut files and another using a fake Trend Micro Worry-Free Business Security Services executable. In one chain, a dropper named LucidPawn deployed a legitimate executable renamed to resemble Microsoft Edge together with a malicious DismCore.dll used to sideload LucidRook.
LucidRook stands out because it embeds a Lua interpreter and Rust-compiled components inside a DLL, allowing the operators to pull and execute second-stage Lua bytecode without changing the core loader. That design supports stealth, modular updates and tailored functionality across different targets.
Compromise of CPUID download infrastructure delivered trojanized CPU‑Z and HWMonitor installers
Attackers gained access to a CPUID API and changed official download links so users requesting CPU-Z, HWMonitor, HWMonitor Pro and PerfMonitor received malicious files instead of clean installers. CPUID later said the compromise affected a side API for roughly six hours between April 9 and April 10 and that its signed original files were not altered.
The trojanized downloads included a legitimate signed executable and a malicious CRYPTBASE.dll used for DLL sideloading. The final payload was STX RAT, and its telemetry showed more than 150 victims, including some organizations in retail, manufacturing, consulting, telecommunications and agriculture.
This matters because users can do the right thing and still get compromised when the official distribution channel is poisoned. The incident also fits a broader supply chain pattern in which attackers target popular utilities and developer or admin workflows instead of breaking into each victim directly.