Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems.
The tech giant, in an update shared Wednesday, said the findings are based on an “expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603.”
The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that’s known to drop Warlock and LockBit ransomware in the past.
The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload.
“This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint,” Microsoft said. “Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels.”
The attacks are characterized by the use of cmd.exe and batch scripts as the threat actor burrows deeper into the target network, while services.exe is abused to turn off Microsoft Defender protections by modifying the Windows Registry.
In addition to leveraging spinstall0.aspx for persistence, Storm-2603 has been observed creating scheduled tasks and modifying Internet Information Services (IIS) components to launch what Microsoft described as suspicious .NET assemblies. These actions are designed to ensure ongoing access even if the victims take steps to plug the initial access vectors.
Some of the other noteworthy aspects of the attacks include the deployment of Mimikatz to harvest credentials by targeting the Local Security Authority Subsystem Service (LSASS) memory, and then proceeding to conduct lateral movement using PsExec and the Impacket toolkit.
“Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments,” Microsoft said.
As mitigations, users are urged to follow the steps below –
- Upgrade to supported versions of on-premises Microsoft SharePoint Server
- Apply the latest security updates
- Ensure the Antimalware Scan Interface is turned on and configured correctly
- Deploy Microsoft Defender for Endpoint, or equivalent solutions
- Rotate SharePoint Server ASP.NET machine keys
- Restart IIS on all SharePoint servers using iisreset.exe (If AMSI cannot be enabled, it’s advised to rotate the keys and restart IIS after installing the new security update)
- Implement incident response plan
The development comes as the SharePoint Server flaws have come under large-scale exploitation, already claiming at least 400 victims. Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups that have been linked to the malicious activity. China has denied the allegations.
“Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” China’s Foreign Ministry Spokesperson Guo Jiakun said. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”
