China-based threat actor Storm-2603 has been observed attacking on-premises SharePoint customers with Warlock ransomware.
That comes from Microsoft, which on June 23 updated a blog post published the day before, detailing how three state-backed actors — Linen Typhoon, Violet Typhoon, and Storm-2603 — are targeting on-premises SharePoint customers using two vulnerabilities, spoofing flaw CVE-2025-49706 and remote code execution bug CVE-2025-49704, as well as related flaws CVE-2025-53770 and CVE-2025-53771. The vulnerabilities were discovered by a Viettel Cyber Security researcher, who leveraged an attack chain dubbed “ToolShell” to show how the flaws could be exploited.
Microsoft disclosed earlier this month that the vulnerabilities were under exploitation, and over the following days, certain customers, such as the US Nuclear Weapons Agency, have reported experiencing an attack.
The vulnerabilities affect SharePoint Server Subscription, 2019, and 2016, and Microsoft has issued patches to address these issues. The vulnerabilities do not affect SharePoint Online in Microsoft 365. “Customers should apply these updates immediately to ensure they are protected,” Microsoft said.
The June 23 update to its June 22 blog post detailed how Storm-2603 is deploying Warlock ransomware.
Warlock Attacks
According to Microsoft, Storm-2603 was observed deploying ransomware in recent days. Although that’s not unusual for a Chinese threat actor, it is notable during a campaign where threat actors are attempting to conduct espionage (Violet Typhoon) and steal state-owned intellectual property (Linen Typhoon).
By contrast, although Storm-2603 has been observed deploying LockBit and Warlock ransomware, Microsoft said in its blog that the company is “currently unable to confidently assess the threat actor’s objectives.”
Ransomware, when not deployed for destructive reasons (as seen during Russia’s invasion of Ukraine), is typically a tool for financially motivated attackers.
What Microsoft said in its blog post is that Storm-2603 was spotted deploying Warlock ransomware on July 18, and that, separately, “Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities.”
The actor has been seen gaining initial access through the aforementioned vulnerabilities; using discovery commands to enumerate user context and validate privilege levels; creating scheduled tasks and manipulating Internet Information Services (IIS) components to gain persistence; gaining credentials via Mimikatz; and moving laterally through additional commands. Finally, “Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments,” Microsoft said in the blog post.
The company added, “Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.”
Dark Reading contacted Microsoft for more information, but a spokesperson for the company declined to provide further comment.
What Defenders Can Do
Microsoft’s blog post includes indicators of compromise as well as substantial mitigation guidance.
In addition to applying relevant security updates, Microsoft recommends customers deploy capable endpoint protection, rotate SharePoint Server ASP.NET machine keys, restart IIS on all SharePoint servers using iisreset.exe, and implement an incident response plan. The blog post also includes recommendations specifically for Microsoft Defender users.
If there’s one takeaway here, it’s that this exploitation seems to be just ramping up.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft’s post read. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
