Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175 | CyberScoop<\/title> <meta name=\"description\" content=\"Multiple researchers and CISA have confirmed active exploitation of the maximum-severity defect. Fortra, the company behind the file-transfer service, remains silent.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-goanywhere-ransomware-storm-1175\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175\"> <meta property=\"og:description\" content=\"Multiple researchers and CISA have confirmed active exploitation of the maximum-severity defect. Fortra, the company behind the file-transfer service, remains silent.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-goanywhere-ransomware-storm-1175\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-07T20:44:54+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-07T20:44:57+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1024\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1758741382g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86283\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86283\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-goanywhere-ransomware-storm-1175%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-goanywhere-ransomware-storm-1175%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86283 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-goanywhere-ransomware-storm-1175\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.288546255507\">\n<div class=\"single-article__header-content\" readability=\"36.268792710706\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/microsoft-goanywhere-ransomware-storm-1175\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Multiple researchers and CISA have confirmed active exploitation of the maximum-severity defect. Fortra, the company behind the file-transfer service, remains silent. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86283\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"341\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175.jpg?resize=640%2C341&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"users, files, cloud, administrator\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=300,160 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=768,410 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=1024,546 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=1536,819 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=600,320 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=1200,640 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-2.jpg?resize=1500,800 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.203148425787\"><body readability=\"78.965596993351\"><\/p>\n<p>Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/06\/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\/\">blog post<\/a> Monday.<\/p>\n<p>Microsoft\u2019s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra\u2019s file-transfer service was exploited as a zero-day before the company <a href=\"https:\/\/cyberscoop.com\/goanywhere-file-transfer-service-vulnerability-september-2025\/\">disclosed<\/a> and patched <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-10035\">CVE-2025-10035<\/a> on Sept. 18.<\/p>\n<p>Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its <a href=\"https:\/\/www.fortra.com\/security\/advisories\/product-security\/fi-2025-012\">security advisory<\/a> Sept. 18 to include indicators of compromise. <\/p>\n<p>Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThey used this access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, to move laterally across networks using built-in Windows utilities,\u201d Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop in an email. \u201cIn at least one instance, the intrusion led to data theft via Rclone and a Medusa ransomware deployment.\u201d<\/p>\n<p>Microsoft\u2019s findings bolster research from other firms including watchTowr, which said it obtained <a href=\"https:\/\/cyberscoop.com\/goanywhere-vulnerability-active-exploitation-september-2025\/\">credible evidence of active exploitation<\/a> of the GoAnywhere vulnerability dating back to Sept. 10, a day before Fortra maintains the vulnerability was discovered. <\/p>\n<p>\u201cMicrosoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra,\u201d said Ben Harris, founder and CEO at watchTowr.<\/p>\n<p>\u201cMicrosoft\u2019s confirmation now paints a pretty unpleasant picture \u2014 exploitation, attribution, and a month-long head start for the attackers. What\u2019s still missing are the answers only Fortra can provide,\u201d Harris added.<\/p>\n<p>This includes details about how the attackers accessed private keys required to achieve exploitation, as researchers from multiple firms flagged as a worrying signal last month. \u201cCustomers deserve transparency, not silence,\u201d Harris said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Federal cyber authorities have confirmed active exploitation of GoAnywhere\u2019s defect as well. The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">known exploited vulnerabilities catalog<\/a> Sept. 29, noting the defect has been used in ransomware campaigns. <\/p>\n<p>DeGrippo said Storm-1175\u2019s attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance and manufacturing sectors. \u201cTheir tactics reflect the broader pattern we\u2019re seeing, which is blending legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft,\u201d she added.<\/p>\n<p>Researchers haven\u2019t said how many organizations are impacted by GoAnywhere attacks, but Fortra customers went through this before when a zero-day vulnerability in the same file-transfer service was widely exploited two years ago, resulting in attacks on more than 100 organizations.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.2961254612546\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-goanywhere-ransomware-storm-1175\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175 |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,452,5045,5047,5177,46,256,5178],"tags":[286,86,454,5048,5050,5179,54,262,5180],"class_list":["post-8058","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-file-transfer-service","category-goanywhere","category-microsoft-threat-intelligence","category-ransomware","category-research","category-storm-1175","tag-cybercrime","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-file-transfer-service","tag-goanywhere","tag-microsoft-threat-intelligence","tag-ransomware","tag-research","tag-storm-1175"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/file-transfer-service\/\" rel=\"category tag\">file transfer service<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/goanywhere\/\" rel=\"category tag\">GoAnywhere<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft-threat-intelligence\/\" rel=\"category tag\">Microsoft Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/storm-1175\/\" rel=\"category tag\">Storm-1175<\/a>","tag_info":"Storm-1175","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8058"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8058\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8058,"date":"2025-10-07T15:44:54","date_gmt":"2025-10-07T20:44:54","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86283"},"modified":"2025-10-07T15:44:54","modified_gmt":"2025-10-07T20:44:54","slug":"microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/07\/microsoft-pins-goanywhere-zero-day-attacks-to-ransomware-affiliate-storm-1175\/","title":{"rendered":"Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175"},"content":{"rendered":"