Microsoft says the Chinese nation-state threat actors behind last Friday’s zero-day attack on SharePoint servers have now been observed deploying Warlock ransomware to exploit victims.
-
Microsoft Threat Intelligence warns it has observed Chinese nation-state attackers deploying ransomware to exploit organizations using on-premise SharePoint servers.
-
The China-linked threat actors identified as Storm-2603 have been known to deploy Warlock ransomware in the past.
-
Urging organiztaions to apply security patches immediately, Microsoft has released an updated blog with expanded details on IOCs, detection, mitigation techniques, and more.
In a new blog post published late Wednesday, Microsoft identified the China-based threat actor as Storm-2603 – a group known for deploying Warlock and LockBit ransomware variants in past attacks – as the perpetrators behind the latest exploit tactic.
This is as Linen Typhoon and Violet Typhoon, the two other Chinese nation-state actors believed responsible for the critical zero-day, continue their targeting of SharePoint servers, Microsoft said.
All three Beijing-backed threat actors are known for their sophisticated cyber espionage tactics and targeting various industries.
Besides the new ransomware warning, the blog updates include additional TTPs of the new activity, additional IOCs, and expanded mitigation, protection, and hunting guidance, Microsoft said in a post on X.
We updated our blog with expanded analysis and threat intelligence from newly observed activity by Storm-2603 leading to the deployment of Warlock ransomware. https://t.co/wKjzmPjy6E
undefined Microsoft Threat Intelligence (@MsftSecIntel) July 24, 2025
10,000 servers could still be exposed
The July 18th SharePoint zero-day attack initially targeted about 100 organizations over that weekend, but Microsoft estimates another 10,000 more on-site SharePoint servers have been left exposed, many of them in the government sector.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the blog said.
Microsoft released an initial security patch for the SharePoint teams workflow platform earlier this month. Still, it failed to fully fix the critical flaw, which was first identified at a hacking competition in May.
Kevin Robertson, CTO of Acumen Cyber warns the flaw, CVE 2025-53770, “could be the ghost that continues to haunt us for some time.”
“While we now have data saying 400 victims have been compromised, this could be a drop in the ocean in comparison with the reality, Robertson explains.
Microsoft says it has since released further patches that have fixed the issue, a spokesperson for the tech giant said on Tuesday, but Robertson points out that "not all organisations will have been able to apply the patch yet, meaning their environments are still wide open.”
Robertson believes the massive zero-day attack only further reinforces how critical this vulnerability is. He also says its “Microsoft's negligence” in deploying the initial failed patch that so many organizations are now completely exposed.
Storm-2603 long term objective a mystery
Microsoft says that although it has been unable to link Storm-2603 with other China-backed threat groups and is “unsure of the threat actor’s objectives,” it is “moderately confident” the group is of Chinese origin.
And it's not just Chinese nation-state actors; "other money-motivated attackers are also jumping on the bandwagon," Robertson noted.
Robertson says that the threat actor targeting victims may now gain further access to other environments, conduct reconnaissance, encrypt sensitive information, and then, when ready, "deploy ransomware in hopes of getting a hefty payout at the end."
Microsoft threat intel researchers first tracked Storm-2603 "with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities," and that the group began deploying ransomware using these vulnerabilities on July 18th.
“The threat actor performs credential access using Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials,” the updated blog states. "Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments," it said.
The attack chain begins with “the exploitation of an internet-facing on-premises SharePoint server to gain initial access to the environment. Storm-2603 then initiates a series of discovery commands, moves to broader execution phases, eventually disabling Microsoft Defender protections through direct registry modifications."
Additionally, Microsoft found that the group often establishes persistence through multiple mechanisms to ensure continued access, even if initial vectors are remediated, making it even more stealthy.
"This latest update highlights that when threat actors have a foothold into an organization's network, they will work hard to take advantage of it whichever way they can,” Robertson explained.
“Let's hope Microsoft does a better job next time and upholds its responsibility to protect its expansive customer base," he said.
Microsoft urges organizations to immediately implement mitigations and security updates, stating that it expects additional threat actors to “continue to use these exploits to target unpatched on-premises SharePoint systems.”
Your email address will not be published. Required fields are markedmarked