The China-backed threat group Storm-2603 deployed the Warlock ransomware on SharePoint servers run on-premises, Microsoft reported July 23.It was also reported July 23 that several government agencies had their SharePoint servers exploited by two other China-backed actors, along with Storm-2603.More than 400 organizations were compromised in at least four confirmed attack waves from July 17 to July 21, according to Eye Security.Agencies hit included the U.S. National Nuclear Security Administration, U.S. Education Department, Florida’s Department of Revenue, and the Rhode Island General Assembly.The Warlock group, also known as the Warlock Dark Army (queue Mr. Robot), runs as a ransomware-as-a-service (RaaS) operation that gained prominence in early 2024.Warlock attacked multiple vertical sectors, including government agencies, financial institutions, manufacturing, and education. Early observations from a number of security researchers show at least 11 victims were attributed to Warlock, with more expected soon.As of Thursday afternoon, it was still unclear which organizations were victimized by Storm-2603’s most recent ransomware operations, if any one entity is being held ransom, and for how much money.Up to now, the Warlock RaaS group has claimed responsibility for the following incidents:For readers trying to follow all these developments, here’s a thumbnail from Frankie Sclafani, director of cybersecurity enablement at Deepwatch:
CVE-2025-53770 and CVE-2025-53771 are the evolved, versions of the vulnerabilities that were part of the original “ToolShell” attack, and they are currently the most pressing concern because of their active exploitation by groups like Storm-2603.
CVE-2025-49704 and CVE-2025-49706 are the “original” ToolShell vulnerabilities. These were the initial vulnerabilities that Microsoft disclosed and patched in the July 2025 security updates. They formed the basis of what was known as the “ToolShell” attack chain.
CVE-2025-53770 and CVE-2025-53771 are the newer variants. These are the newer zero-day vulnerabilities that were detected in active exploitation after Microsoft had released patches for CVE-2025-49704 and CVE-2025-49706.
On July 19, Microsoft Security Response Center (MSRC) published a blog addressing newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706. Sclafani underscored that security teams should install both updates.
CVE-2025-53770 is a critical remote code execution (RCE) vulnerability (CVSS 9.8) that is a variant of CVE-2025-49706. It bypasses the original patch for CVE-2025-49706. This vulnerability allows unauthenticated remote code execution by exploiting how SharePoint deserializes untrusted data.
CVE-2025-53771 is a medium-severity server spoofing vulnerability (CVSS 6.3) that is a variant of CVE-2025-49704. It bypasses the original patch for CVE-2025-49704.
Sclafanis said here’s how they are all connected: “The attack chain, still referred to as ‘ToolShell,’ initially leveraged CVE-2025-49704 and CVE-2025-49706. However, threat actors quickly developed new variants (CVE-2025-53770 and CVE-2025-53771) that effectively bypassed Microsoft’s initial patches for the original ‘ToolShell’ vulnerabilities.”These newer variants (CVE-2025-53770 and CVE-2025-53771) are now being actively exploited. When chained together, they lets attackers gain full access to SharePoint content, including file systems and configurations, and execute arbitrary code over the network.
