Storm-2603 Exploits SharePoint Zero-Day to Deploy Warlock Ransomware
July 2025 has witnessed a critical escalation in attacks targeting Microsoft SharePoint, with sophisticated threat actors exploiting zero-day vulnerabilities to deploy advanced ransomware and establish persistent unauthorized access across a wide swath of sectors. Organizations using SharePoint on-premises, especially those managing sensitive or regulated data, face a rapidly evolving threat landscape requiring immediate mitigation and forensic vigilance.
Technical Background of the SharePoint Exploits
Security researchers and government agencies recently confirmed active exploitation of two SharePoint vulnerabilities disclosed as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing). These vulnerabilities collectively, publicly referenced as the “ToolShell” exploit chain, allow unauthenticated attackers to achieve remote code execution and escalate to full administrative control over SharePoint servers. Notably, the vulnerabilities scored as high as 9.8 on the CVSS scale, indicating critical risk.
Tactics, Techniques, and Procedures (TTPs) Observed
The threat actor known as Storm-2603, believed to be affiliated with the Chinese state, has been linked to the exploitation of these vulnerabilities. The actors used a two-stage attack: they first bypassed authentication controls to plant webshells and later leveraged network spoofing to gain deeper persistent access. Payloads have included typical .aspx and .exe webshells, but researchers have identified novel use of .dll files as payloads, indicating a concerted effort to evade traditional endpoint detection and response solutions.
Once compromised, attackers have executed remote code on vulnerable servers, exfiltrated sensitive SharePoint content, and, in a recent escalation, deployed Warlock ransomware. Infected organizations have seen files encrypted and access to key business operations disrupted, with initial access leading to lateral movement across broader Microsoft 365 environments connected to SharePoint.
Scope and Impact of the Campaign
Over 75 organizations have been confirmed compromised as of late July 2025, including financial institutions, public sector agencies, major corporations, and several hospitals and universities worldwide. Attackers have targeted entities with geopolitical significance, amplifying national security concerns. Activity was first detected on July 7, peaking around July 18-19 as coordinated exploitation targeted government, telecommunications, technology, and healthcare sectors.
The campaign demonstrated an unprecedented level of speed and sophistication, with evidence that threat groups used multiple IP addresses and reused infrastructure from previous exploits, such as prior Ivanti EPMM vulnerabilities. In addition to ransomware, attackers sought to steal authentication keys from compromised SharePoint environments, possibly facilitating long-term access and further supply-chain attacks.
Mitigation Measures and Defensive Recommendations
Microsoft responded by releasing urgent patches and mitigations during its most recent Patch Tuesday. The Cybersecurity and Infrastructure Security Agency (CISA) and various security researchers have urged immediate patch deployment as the primary risk-reduction action. Enhanced detection guidance has been provided, including recommendations to scan for unusual outbound network activity, unexpected DLL implantation, new or modified webshells within SharePoint directories, and anomalous administrative actions.
Organizations are also advised to:
- Review all SharePoint and Microsoft 365 logs for evidence of unauthorized or anomalous activity since early July 2025.
- Implement network segmentation to isolate SharePoint servers from sensitive internal systems and restrict egress traffic where feasible.
- Ensure backups are current, secure, and tested—especially for key SharePoint and cloud data repositories.
- Educate incident response teams on newly observed attack patterns and ensure readiness for rapid containment and eradication.
Evolving Threat Landscape and Future Risks
The campaign’s rapid evolution highlights the increasing complexity of targeting enterprise collaboration platforms as entry points for both espionage and financial extortion. The move from mere data theft to full deployment of disruptive ransomware within a matter of weeks underscores a shift in the motivations and capabilities of well-resourced threat actors. Security leaders should anticipate ongoing discovery of related vulnerabilities and expect attack methods to diversify, as webshell-to-ransomware pivoting becomes a preferred approach for gaining maximum leverage from enterprise software exploits.
