A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
"Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives," the company said in a Wednesday report.
"Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.
After breaching the victims' networks, Storm-2603 operators use the Mimikatz hacking tool to extract plaintext credentials from LSASS memory.
They then move laterally with PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI), and modifying Group Policy Objects (GPOs) to deliver Warlock ransomware across compromised systems.
"Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in our blog," Microsoft also warned.
Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities.
Since then, Eye Security CTO Piet Kerkhofs told BleepingComputer that the number of breached entities is much larger, with "most of them already compromised for some time already." According to the cybersecurity company's statistics, the attackers have so far infected at least 400 servers with malware and breached 148 organizations worldwide.
CISA also added the CVE-2025-53770 remote code execution flaw, part of the same ToolShell exploit chain, to its catalog of vulnerabilities exploited in the wild, ordering US federal agencies to secure their systems within a day.
However, earlier this week, the Department of Energy confirmed that the National Nuclear Security Administration’s networks were breached in the ongoing Microsoft SharePoint attacks, although the agency has yet to find evidence that sensitive or classified information was compromised in the incident.
According to a Bloomberg report, the attackers have also hacked into systems at the US Department of Education, the Rhode Island General Assembly, and Florida’s Department of Revenue, as well as networks of national governments in Europe and the Middle East.
Update July 24, 06:15 EDT: Revised story to make it clearer that Storm-2603 is a China-based threat actor.
Cloud Detection & Response for Dummies
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
Related Articles:
Microsoft links Sharepoint ToolShell attacks to Chinese hackers
US nuclear weapons agency hacked in Microsoft SharePoint attacks
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available
Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks
Windows 11 gets new Black Screen of Death, auto recovery tool
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
