Microsoft has revealed that one of the threat actors behind the aggressive exploitation of SharePoint flaws is deploying Warlock ransomware on target systems.
The tech giant said in an update shared on Wednesday that the findings are based on “analysis and increased threat intelligence from continuous surveillance of Storm-2603’s exploitation activities.”
The threat actors due to financially motivated activities are suspected of being a China-based threat actor who has been known to drop warlocks and rock bit ransomware in the past.
The attack chain involves exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting an accrued on-premises SharePoint server to deploy a spinstall 0.aspx web shell payload.
“This initial access is used to run command execution using the W3WP.EXE process that supports SharePoint,” Microsoft said. “Storm-2603 starts a set of discovery commands, including Whoami, to enumerate the user’s context and verify the privilege level.”
Attacks are characterized by using CMD.exe and batch scripts when threat actors dig deep into the target network, but Services.exe is abused to change the Windows registry to turn off Microsoft Defender protection.
In addition to leverage to continue Spinstall0.aspx, it has been observed that Storm-2603 creates scheduled tasks and modifys Internet Information Services (IIS) components to launch what Microsoft described as a suspicious .NET assembly. These actions are designed to ensure continuous access, even when victims take steps to connect the initial access vector.
Other notable aspects of the attack include the deployment of Mimikats to target local security station subsystem services (LSASS) memory to harvest credentials, followed by lateral movements using PSEXEC and Impacket Toolkit.
“We’re observing Storm-2603 modifying Group Policy Objects (GPOs) to distribute Warlock ransomware in compromised environments,” Microsoft said.
As a mitigation, users are advised to follow the steps below –
Upgrading to a supported version of on-premises version Upgrading to a supported version of Microsoft SharePoint Server Apply the latest security updates Apply the latest security updates by applying the latest security updates to ensure that the anti-malware scan interface is turned on and that you correctly deploy Microsoft Defenderdenderdderd on the endpoint. Implement an incident response plan (after installing new security updates)
The development has already claimed at least 400 victims as the SharePoint server flaws are under massive exploitation. Linen Timpon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups linked to malicious activities. China has denied the allegations.
“Cybersecurity is a common challenge facing all countries and needs to be addressed jointly through dialogue and cooperation,” said Guo Jiakun, spokesman for China’s Ministry of Foreign Affairs. “China will oppose and fight against hacking activities according to the law, and at the same time oppose smears and attacks against China under the excuses of cybersecurity issues.”
Source link
