Storm-2603 Launches Ransomware Wave via SharePoint Zero-Day Exploitation
A sophisticated cyber-espionage and ransomware campaign targeting Microsoft SharePoint on-premises installations has erupted since early July 2025. Attributed to the China-affiliated Storm-2603 threat group, the campaign leverages a zero-day vulnerability (CVE-2024-38060), leading to widespread compromise in government, telecom, and critical enterprise sectors. The incident underscores the ongoing risk posed by unpatched collaboration platforms and the increasing speed and skill with which nation-state actors exploit security gaps.
Nature of the Zero-Day Vulnerability
The exploited SharePoint vulnerabilities—tracked as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing)—enable adversaries to achieve either unauthenticated or spoofed authenticated access. Attackers deliver malicious payloads including webshells, dynamic link library (.dll) files, and custom backdoors. These tools grant persistent and extensive access to SharePoint-hosted file repositories, configurations, and in some cases, the underlying server infrastructure.
Technical Attack Chain and Payloads
The campaign unfolds as follows:
- Attackers exploit the spoofing vulnerability (CVE-2025-49706) to pose as legitimate network users, bypassing authentication controls.
- They chain this with the RCE flaw (CVE-2025-49704) to execute arbitrary code within the SharePoint environment.
- Malicious payloads—primarily webshells written in ASP.NET or directly injected DLLs—are dropped on the compromised servers.
- Command-and-control infrastructure is established, enabling lateral movement, data exfiltration, and ultimately ransomware deployment.
Recent reports confirm the appearance of the Warlock ransomware on compromised networks, marking a shift from initial espionage operations to financially-motivated extortion. Warlock encrypts SharePoint-hosted and adjacent files, demanding payment for decryption keys while sometimes threatening public data leaks.
Scope of Victimization and Attribution
The wave of attacks has impacted entities in North America and Western Europe, particularly organizations managing sensitive geopolitical, defense, and intelligence information. Exploitation attempts have been detected from infrastructure previously seen in attacks involving other enterprise platforms. Attribution to the Storm-2603 group is based on malware code reuse, known TTPs, and observed targeting patterns aligning with past China-affiliated campaigns.
Mitigation and Guidance
Microsoft and CISA have published urgent mitigation advisories, emphasizing rapid patch rollout to all vulnerable on-premises SharePoint servers. Additional recommendations include:
- Comprehensive review of authentication logs for signs of spoofed access attempts
- Hunting for unfamiliar or recently modified ASPX, DLL, or EXE files in SharePoint directories
- Enhanced network monitoring for outbound communications to known threat operator infrastructure
- Backup validation and isolation to protect against ransomware-induced data loss
Notably, defenders are cautioned to expect evolving TTPs as threat actors respond to detection and remediation efforts.
Supply Chain Threat: Toptal GitHub Breach and Malicious npm Packages
In July 2025, the software supply chain community faced a serious intrusion when Toptal, a major freelancing platform, suffered a compromise of its GitHub account. Threat actors leveraged the breach to publish several malicious npm packages, directly targeting the open-source software supply ecosystem. This incident highlights ongoing risks associated with third-party dependencies and the necessity of robust source control hygiene.
Breach Vector and Immediate Impact
Attackers obtained unauthorized access to Toptal’s GitHub credentials, facilitating the modification of legitimate code repositories. They used this access to impersonate trusted package publishers and upload malicious modules to npm, the world’s largest JavaScript package registry.
Malware Functionality and Objectives
The uploaded malicious packages closely mimicked legitimate libraries by name and function, increasing the likelihood of inadvertent installation by unsuspecting developers. Technical analysis revealed the following capabilities:
- Exfiltration of developer credentials from infected development environments
- Automated remote code execution, enabling attacker control over compromised machines
- Installation of persistent backdoors to maintain access
- Mechanisms for spreading to other linked projects through dependency chains
These modules performed silent credential theft, data harvesting, and could potentially have enabled broader supply chain attacks if left unchecked.
Remediation and Industry Response
Upon identification of the compromise, Toptal removed the tampered code and began a thorough audit of internal security procedures, focusing on enhanced credential management and repository monitoring. The npm security team was promptly notified, resulting in the takedown of malicious packages and a coordinated warning to the open-source community.
The breach emphasizes the need for:
- Frequent credential rotation and two-factor authentication on code hosting platforms
- Automated scrutiny of new and updated packages in production environments
- Continuous monitoring and anomaly detection across CI/CD pipelines
- Community-wide vigilance for impersonation and typo-squat attacks in popular code repositories
The swift detection and response limited the widespread impact but illustrated the persistent threat posed by supply chain vulnerabilities across the global developer ecosystem.