The high-velocity ransomware group Storm-1175 is slashing the time between vulnerability disclosure and network-wide encryption, often deploying Medusa ransomware within just 24 hours of a patch becoming available. By weaponizing a relentless rotation of zero-days and N-days, the group maintains an aggressive operational tempo across the U.S., the U.K, and Australia.

Endpoint security is being bypassed by a stealthy new subscription-based malware called Storm, which trades local decryption for a more evasive server-side approach. Unlike traditional stealers that trigger alerts by accessing browser databases on the victim's machine, Storm ships encrypted files directly to its own infrastructure for processing.

A high-severity vulnerability in the Ninja Forms File Uploads extension has exposed over 50,000 websites to immediate takeover. Tracked as CVE-2026-0740 with a 9.8 CVSS score, the flaw allows unauthenticated attackers to bypass file-type restrictions and upload malicious PHP web shells directly to a server's root directory.

Top Malware Reported in the Last 24 Hours

China-linked Storm-1175 deploys Medusa ransomware

A China-based threat actor known as Storm-1175 has been linked to the rapid deployment of Medusa ransomware by exploiting a mix of zero-day and N-day vulnerabilities. These attacks primarily target healthcare, education, finance, and professional services sectors in Australia, the UK, and the US. Storm-1175's tactics include chaining multiple exploits, creating persistence through new user accounts, and deploying legitimate remote monitoring software for lateral movement. Since 2023, the group has exploited over 16 vulnerabilities, including critical ones in Microsoft Exchange Server and Papercut. They have shown a particular interest in targeting Linux systems and exploiting Oracle WebLogic vulnerabilities. The threat actor rotates exploits quickly, taking advantage of the time between vulnerability disclosure and patch availability, while using various tools to evade detection and facilitate data exfiltration.

New Storm infostealer targets and decrypts credentials

A new information stealer known as Storm has emerged, targeting browser credentials, session cookies, and cryptocurrency wallets. Discovered by Varonis, Storm operates by sending encrypted data to the attacker's server for decryption, rather than decrypting it locally on the victim's machine. This shift in approach circumvents traditional security measures, making detection more challenging. Storm collects a wide range of sensitive information, including saved passwords, Google account tokens, and credit card details, while also capturing data from messaging apps like Telegram and Discord. Uniquely, it automates the replay of stolen credentials by using Google Refresh Tokens and SOCKS5 proxies to restore authenticated sessions without triggering alerts. Available for under $1,000 per month, Storm has been linked to numerous entries from various countries, indicating ongoing malicious campaigns targeting high-value platforms such as Google, Facebook, and cryptocurrency exchanges.

Top Vulnerabilities Reported in the Last 24 Hours

Critical flaw in Ninja Forms plugin

A critical vulnerability identified as CVE-2026-0740 in the Ninja Forms File Uploads premium add-on for WordPress allows unauthenticated attackers to upload arbitrary files, posing a severe risk of remote code execution. This flaw, rated 9.8 out of 10 in severity, arises from a lack of validation on file types and filename sanitization, enabling attackers to upload malicious PHP scripts and execute them on the server. The vulnerability affects versions up to 3.3.26 and has already been exploited in numerous attacks, with over 3,600 attempts blocked within a 24-hour period. The issue has significant implications, including potential site takeovers and the deployment of web shells, making it a pressing concern for users of the plugin.

Flowise vulnerability exploited in attacks

Hackers are exploiting a critical vulnerability, CVE-2025-59528, in the Flowise platform, which facilitates the creation of custom AI applications. This flaw allows attackers to inject arbitrary JavaScript code, enabling command execution and unauthorized access to the file system. The issue arises from the Flowise CustomMCP node, which inadequately evaluates user input when connecting to external Model Context Protocol servers. Although the vulnerability was disclosed last September and patched in version 3.0.6, active exploitation has been detected by VulnCheck's Canary network. Currently, between 12,000 and 15,000 Flowise instances are exposed online, raising concerns about the potential impact of this vulnerability.