Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems.
The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603."
The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past.
The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload.
"This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint," Microsoft said. "Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels."
The attacks are characterized by the use of cmd.exe and batch scripts as the threat actor burrows deeper into the target network, while services.exe is abused to turn off Microsoft Defender protections by modifying the Windows Registry.
In addition to leveraging spinstall0.aspx for persistence, Storm-2603 has been observed creating scheduled tasks and modifying Internet Information Services (IIS) components to launch what Microsoft described as suspicious .NET assemblies. These actions are designed to ensure ongoing access even if the victims take steps to plug the initial access vectors.
Some of the other noteworthy aspects of the attacks include the deployment of Mimikatz to harvest credentials by targeting the Local Security Authority Subsystem Service (LSASS) memory, and then proceeding to conduct lateral movement using PsExec and the Impacket toolkit.
"Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments," Microsoft said.
As mitigations, users are urged to follow the steps below -
- Upgrade to supported versions of on-premises Microsoft SharePoint Server
- Apply the latest security updates
- Ensure the Antimalware Scan Interface is turned on and configured correctly
- Deploy Microsoft Defender for Endpoint, or equivalent solutions
- Rotate SharePoint Server ASP.NET machine keys
- Restart IIS on all SharePoint servers using iisreset.exe (If AMSI cannot be enabled, it's advised to rotate the keys and restart IIS after installing the new security update)
- Implement incident response plan
The development comes as the SharePoint Server flaws have come under large-scale exploitation, already claiming at least 400 victims. Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups that have been linked to the malicious activity. China has denied the allegations.
"Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation," China's Foreign Ministry Spokesperson Guo Jiakun said. "China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues."
Update
Cybersecurity firm ESET said it has observed the ToolShell exploitation activity globally, with the United States accounting for 13.3% of all attacks, according to its telemetry data. Other prominent targets include the United Kingdom, Italy, Portugal, France, and Germany.
"The victims of the ToolShell attacks include several high-value government organizations that have been long-standing targets of these groups," the Slovak company said. "Since the cat is out of the bag now, we expect many more opportunistic attackers to take advantage of unpatched systems."
Data from Check Point Research has revealed large-scale exploitation efforts underway. As of July 24, 2025, more than 4600 compromise attempts have been detected on over 300 organizations worldwide, including government, software, telecommunications, financial services, business services, and consumer goods sectors.
"Alarmingly, we see that the attackers also leverage known Ivanti EPMM vulnerabilities throughout the campaign," Check Point Research said.
WithSecure's analysis of ToolShell attacks has also uncovered the deployment of the Godzilla web shell, suggesting that the activity may be linked to a prior campaign by an unattributed threat actor in December 2024 that weaponized publicly disclosed ASP.NET machine keys.
"One of the primary goals of the current campaign is to steal ASP.NET machine keys to maintain access to the SharePoint server even after patching," the Finnish security vendor said.
Furthermore, the attacks have led paved the way for other payloads such as follows -
- Information, to collect system data and a list of running processes
- RemoteExec, to execute commands via cmd.exe and return the responses of the execution back to the threat actor
- AsmLoader, to launch a shellcode either within the running process (IIS worker) or remote process
- A custom ASP.NET MachineKey stealer similar to spinstall0.aspx that harvests MachineKey components, along with machine name and username
- BadPotato, to escalate privileges
"The usage and implementation of these suggests a Chinese-speaking threat actor is likely to be involved in this activity, however definitive attribution cannot be made at this point based solely on these indicators," WithSecure said.
(The story was updated after publication to include new insights from ESET, Check Point Research, and WithSecure.)
