Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025, corroborating earlier reports.
The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the tech giant said in a report published today.
A brief description of the threat activity clusters is below –
- Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX
- Violet Typhoon (aka APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), which is active since 2015 and has been previously attributed attacks targeting the United States, Finland, and Czechia
- Storm-2603, a suspected China-based threat actor that has deployed Warlock and LockBit ransomware in the past
The vulnerabilities, which affect on-premises SharePoint servers, have been found to leverage incomplete fixes for CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug. The bypasses have been assigned the CVE identifiers CVE-2025-53771 and CVE-2025-53770, respectively.
In the attacks observed by Microsoft, the threat actors have been found exploiting on-premises SharePoint servers through a POST request to the ToolPane endpoint, resulting in an authentication bypass and remote code execution.
As disclosed by other cybersecurity vendors, the infection chains pave the way for the deployment of a web shell named “spinstall0.aspx” (aka spinstall.aspx, spinstall1.aspx, or spinstall2.aspx) that allows the adversaries to retrieve and steal MachineKey data.
Cybersecurity researcher Rakesh Krishnan said “three distinct Microsoft Edge invocations were identified” during forensic analysis of a SharePoint exploit. This includes Network Utility Process, Crashpad Handler, and GPU Process.
“Each serves a unique function within Chromium’s architecture, yet collectively reveals a strategy of behavioral mimicry and sandbox evasion,” Krishnan noted, while also calling attention to the web shell’s use of Google’s Client Update Protocol (CUP) to “blend malicious traffic with benign update checks.”
To mitigate the risk posed by the threat, it’s essential that users apply the latest update for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
It’s also recommended to integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode.
“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” Microsoft said.
While the confirmation from Microsoft is the latest hacking campaign linked to China, it is also the second time Beijing-aligned threat actors have targeted the Windows maker. In March 2021, the adversarial collective tracked as Silk Typhoon (aka Hafnium) was tied to a mass-exploitation activity that leveraged multiple then-zero-days in Exchange Server.
Earlier this month, a 33-year-old Chinese national, Xu Zewei, was arrested in Italy and charged with carrying out cyber attacks against American organizations and government agencies by weaponizing the Microsoft Exchange Server flaws, which came to be known as ProxyLogon.
