A China-based hacker group is exploiting vulnerable Microsoft SharePoint servers to deploy Warlock ransomware, targeting a recently patched chain of vulnerabilities known as ToolShell, which has been used in zero-day attacks.
According to Shadowserver, a nonprofit cybersecurity organization, over 420 SharePoint servers remain publicly exposed and are at risk of being compromised by this active campaign.
While this group has previously been observed using both Warlock and Lockbit in past attacks, Microsoft admits it cannot yet determine the group’s specific targets with certainty.
Since July 18, 2025, Microsoft has detected that the threat group Storm-2603 has been actively exploiting these vulnerabilities to distribute ransomware.
Once inside a victim’s network, Storm-2603 attackers use the well-known hacking tool Mimikatz to steal plaintext credentials directly from the LSASS memory—a common technique for privilege escalation within the system.
They then move laterally across the network using PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI) and modifying Group Policy Objects (GPOs) to deploy the Warlock ransomware on other compromised machines.
Microsoft warns: “We strongly recommend that all customers immediately apply SharePoint Server security updates in on-premises environments and follow the mitigation steps outlined in our official blog.”
Storm-2603 Ransomware Attack Flow (Microsoft)
Read more: Microsoft Links SharePoint Attacks to Chinese Hacker Groups
Microsoft Threat Intelligence researchers have recently linked Chinese state-sponsored hacker groups Linen Typhoon and Violet Typhoon to the campaign exploiting critical vulnerabilities in Microsoft SharePoint.
This discovery follows the initial zero-day attacks uncovered by Dutch cybersecurity firm Eye Security, which revealed exploitation of vulnerabilities CVE-2025-49706 and CVE-2025-49704. According to Eye Security CTO Piet Kerkhofs, the situation is more serious than it appears: “Many organizations had already been compromised for some time.”
Data collected by Eye Security shows that at least 400 servers have been infected with malware and attackers have breached at least 148 organizations worldwide.
The severity of the situation has drawn attention from authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added another critical vulnerability to its Known Exploited Vulnerabilities catalog: the remote code execution flaw CVE-2025-53770, also tied to the ToolShell exploit chain. The agency mandated that all federal entities patch and secure their systems within 24 hours.
The impact has already reached highly sensitive institutions. This week, the U.S. Department of Energy confirmed that its National Nuclear Security Administration (the agency responsible for managing the nation’s nuclear arsenal) was targeted in the SharePoint attacks. However, there is currently no evidence that classified data was compromised.
Additionally, Bloomberg reported that other U.S. government agencies have been affected, including the Department of Education, the Rhode Island General Assembly, and the Florida Department of Revenue. The campaign has also impacted government networks in Europe and the Middle East.
The Washington Post further reported that the National Institutes of Health (NIH), under the U.S. Department of Health and Human Services, was also compromised.