Microsoft Links SharePoint Attacks to Chinese Hacker Groups

Hackers backed by the Chinese government are behind a new wave of attacks exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint, Microsoft has confirmed.

These highly sophisticated attacks use a tool known as ToolShell, allowing attackers to infiltrate on-premises SharePoint servers and compromise dozens of organizations worldwide.

In a recent report, Microsoft identified two Chinese state-sponsored hacking groups (Linen Typhoon and Violet Typhoon) as responsible for exploiting these flaws in internet-facing SharePoint servers. A third group, Storm-2603, also based in China, has been observed using the same exploit chain.

Microsoft also noted that additional threats are currently under investigation, suggesting more actors could be leveraging this security gap for targeted cyberattacks.

Over 50 Organizations Compromised by Critical SharePoint Vulnerabilities

One of the first groups to exploit these vulnerabilities has known ties to Chinese state-backed threat actors. Alarmingly, it's not just a single group—several actors are actively exploiting these flaws, according to cybersecurity experts.

Initial signs of this campaign emerged last Friday, when a Netherlands-based cybersecurity firm identified attacks exploiting two critical zero-day vulnerabilities: CVE-2025-49706 and CVE-2025-49704. These flaws were first demonstrated at the Pwn2Own Berlin hacking contest by researchers from Viettel Cyber Security.

Since then, at least 54 organizations (including major multinational corporations and government entities) have been compromised, and the number continues to rise.

Another cybersecurity firm reported detecting signs of exploitation as early as July 7. Their analysis indicates that the attacks primarily target organizations in the government, telecommunications, and software sectors across North America and Western Europe.

In response to this threat, Microsoft has released emergency patches for several versions of SharePoint, including SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016. The updates, issued as part of July’s Patch Tuesday, address these critical vulnerabilities and are now officially identified as CVE-2025-53770 and CVE-2025-53771.

PoC Exploit Now Available as SharePoint Threat Escalates

Just days after Microsoft released patches for vulnerable SharePoint versions, a proof-of-concept (PoC) exploit for the CVE-2025-53770 vulnerability has been made public. Available on GitHub, this PoC unfortunately makes it easier for more hacker groups to join the ongoing attacks.

The release of the PoC not only accelerates the spread of the threat but also significantly increases the risk for organizations that have not yet updated their systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly responded by adding this remote code execution vulnerability to its catalog of actively exploited flaws. CISA has mandated all federal agencies to apply the patches within 24 hours of their release.

According to CISA, the exploit (known as ToolShell) allows unauthenticated access to SharePoint servers, giving attackers full control over files, configurations, and other internal functions. They can also execute malicious code across the network, effectively turning this vulnerability into a gateway for full infrastructure compromise.

“Microsoft is moving quickly, and we’re working closely with them to notify affected entities and recommend urgent mitigation steps,” CISA stated. “We strongly urge all organizations with on-premises SharePoint servers to take immediate action.”

Indicators of Compromise (IoCs) You Need to Know

To help cybersecurity teams detect potential intrusions, Microsoft has shared a list of Indicators of Compromise (IoCs) linked to this campaign. These data points are critical for identifying malicious activity within internal networks:

1. IP Addresses Used to Exploit SharePoint:

   1. 134.199.202[.]205

   2. 104.238.159[.]149

   3. 188.130.206[.]168

2. IP Address for Post-Exploitation Command and Control (C2) Communication:

   1. 131.226.2[.]6

3. Suspicious File Names:

   1. Spinstall0.aspx (and variants: spinstall.aspx, spinstall1.aspx, spinstall2.aspx)

4. URL Used to Deliver Malicious Payloads via PowerShell:

   1. c34718cbb4c6.ngrok-free[.]app/file.ps1
      
      

What Should You Do Now?