Storm-2603 and Allied Groups Exploit Microsoft SharePoint Vulnerabilities for Global Ransomware and Espionage Campaigns
A coordinated wave of attacks exploiting fresh zero-day vulnerabilities in Microsoft SharePoint has impacted hundreds of organizations worldwide in July 2025. Prominent threat actor Storm-2603, linked to China, along with allied groups Linen Typhoon and Violet Typhoon, leveraged these flaws for remote code execution, backdoor deployment, espionage, and the propagation of Warlock ransomware. Emergency guidance has been issued by major security agencies and Microsoft due to the unusually high severity and rapid exploitation of the vulnerabilities. The attacks have caused significant damage, including confirmed compromises across banking, healthcare, education, and critical infrastructure sectors, and in some cases have led to full operational shutdowns.
Architectural Vulnerabilities in SharePoint Platform
The primary exploits center on two SharePoint vulnerabilities, one scoring 9.8 and the other 7.1 on the CVSS scale. The more critical vulnerability (CVE-2025-53770) permits unauthenticated remote code execution, allowing attackers to gain administrative access on unpatched SharePoint Servers. This enables them to bypass standard security controls and interact programmatically with data and applications across Microsoft 365 environments. The flaws were originally revealed at the Pwn2Own contest in May 2025 and began to see broad exploitation by July. Attackers have also managed to circumvent initial fixes, forcing Microsoft to release urgent secondary patches and to recommend more aggressive mitigation steps.
Scale and Impact of the Compromise
As of late July, over 400 organizations have confirmed breaches attributed to this attack chain. Notable victims include major banks, healthcare providers, universities, as well as government agencies such as the US National Nuclear Security Administration. The exploit chain has enabled threat actors to establish persistent backdoors within target environments, facilitate lateral movement (often using tools like Impacket’s Atexec and WmiExec for Windows environment traversal), and exfiltrate sensitive data. In some cases, the attacks have culminated in ransomware deployment—specifically Warlock ransomware—crippling organizations that failed to implement timely patching or key rotation.
Advanced Techniques and Attribution
Microsoft and security partners have attributed the attacks to three related Chinese-linked APT groups: Storm-2603, Linen Typhoon, and Violet Typhoon. These actors have demonstrated the ability to tailor payloads to evade SharePoint security controls and even subvert attempts at remediation, such as post-patch exploitation using newly crafted payload variants. Furthermore, CISA and Microsoft’s emergency advisories stress that tens of thousands of internet-exposed on-premises SharePoint servers remain unpatched and thus highly vulnerable. The attackers have also exploited organizations’ failure to rotate machine keys and to disconnect end-of-life SharePoint systems, amplifying the ongoing risk landscape.
Recommended Response and Mitigation
Security agencies recommend several urgent actions:
- Immediate deployment of the latest security patches to all SharePoint systems.
- Rotation of all security and machine keys in compromised SharePoint environments.
- Full audit of administrative accounts and privileged actions performed via SharePoint.
- Removal of internet exposure for end-of-life or non-hardened SharePoint servers.
- Continuous monitoring for indicators of compromise and backdoor persistence.
These incidents emphasize the criticality of timely patch management, zero-day exploit awareness, and adopting defense-in-depth strategies for enterprise collaboration platforms.
Ransomware Attack Destroys 158-Year-Old Logistics Firm Due to Credential Weakness
A devastating ransomware attack led to the collapse of KNP Logistics, a historic UK-based company operating for 158 years. The breach, triggered by a single weak password, rendered all company operations unrecoverable and resulted in 730 job losses. This incident exemplifies the catastrophic impact that poor credential hygiene and a lack of multifactor authentication can have on critical infrastructure providers and their supply chains.
Attack Vector and Technical Exploitation
The attackers gained initial access through the successful compromise of a weak account password, likely using automated credential stuffing or password spraying methods. Once inside the corporate environment, they rapidly escalated privileges and deployed ransomware, encrypting operational, financial, and logistical data. The attack overwhelmed existing security controls and backups, preventing recovery and forcing the company into liquidation proceedings.
Broader Implications for Critical Infrastructure
KNP Logistics’ destruction demonstrates the disproportionate vulnerability facing organizations that do not enforce strong password policies or implement modern identity protections such as multifactor authentication (MFA). The attack’s rapid impact, resulting in permanent data and operational loss, has triggered renewed calls across the logistics and supply chain sectors for adoption of robust cyber hygiene practices, including privileged access management and zero-trust network architectures.
APT41 Escalates Cyber Espionage in Africa Using Impacket Abuse and SharePoint Exploitation
Threat group APT41, associated with China, significantly expanded its espionage activity in July 2025, targeting African government IT environments. The campaign involved weaponizing legitimate open-source post-exploitation tools—specifically Impacket’s Atexec and WmiExec modules—for stealthy lateral movement, in conjunction with the exploit of a vulnerable SharePoint server for command-and-control communication.
Technical Anatomy of the Attack
The campaign started with a spear-phishing vector or the exploitation of public-facing application vulnerabilities, giving APT41 initial access. By deploying Impacket toolkits, the attackers moved laterally within the target’s Windows infrastructure, leveraging Windows Management Instrumentation (WMI) and remote execution techniques to deploy fileless payloads. The compromised SharePoint server was repurposed as an internal C2 node, embedding sensitive internal network details within its malicious payloads to facilitate extended persistence and control.
Regional and Geopolitical Context
This campaign marks a notable escalation in APT41’s focus on African public sector targets, consistent with their known objectives of cyberespionage, supply-chain infiltration, and intelligence gathering. The use of dual-purpose open-source tooling like Impacket complicates detection by blending malicious activity with legitimate administrative traffic. Security analysts have noted a significant increase in regional activity from late 2022 through July 2025, aligning with broader trends of state-backed cyber operations expanding into developing regions.
