On July 7, 2025, Microsoft officially linked the exploitation of security flaws in SharePoint Server instances for the Internet to two Chinese hacking groups called Linen Typhoon and Violet Typhoon, supporting an early report.
Tech Giant also observed a third China-based threat actor tracking Storm-2603, saying it would weaponize the flaws to gain early access to the target organization.
“With the rapid adoption of these exploits, Microsoft is confident that threat actors will continue to integrate them into attacks against unpaid on-premises SharePoint systems,” Tech Giant said in a report released today.
A brief description of the threat activity cluster can be found below –
- Line Typen (AKA APT27, Bronze Union, Emily Panda, Iodine, Lucky Mouse, Red Phoenix, UNC215).
- Violet typhoon (AKA APT31, Bronze Vinwood, Judgment Panda, Red Ceres, Zirconium).
- Storm-2603Suspicion of China-based threat actor who previously deployed Warlock and Lockbit ransomware
The vulnerabilities affecting on-premises SharePoint servers have been found to take advantage of the incomplete fixes for the spoofing flaw CVE-2025-49706 and the remote code execution bug CVE-2025-49704. The bypass is assigned CVE-2025-53771 and CVE-2025-53770, respectively.
The attack observed by Microsoft found that threat actors were using on-premises SharePoint servers via POST requests to tool pen endpoints. This results in authentication bypassing and remote code execution.
As revealed by other cybersecurity vendors, the infectious disease chain paves the way for the deployment of a web shell named “Spinstall0.aspx” (also known as Spinstall.aspx, Spinstall1.aspx, or Spinstall2.aspx), where enemies can retrieve and steal machine data.
Cybersecurity researcher Rakesh Krishnan said during a forensic analysis of SharePoint Exploit, “three different Microsoft Edge calls were identified.” This includes network utility processes, crash pad handlers, and GPU processes.
“Each of which serves a unique function within Chromium’s architecture, collectively reveals strategies for mimicking behavior and sandboxing avoidance,” Krishnan said, calling attention to the use of Web Shell’s Client Update Protocol (CUP), “blending malicious traffic and benign update checks.”
To mitigate the risk poses by threats, it is essential that users apply the latest updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, and deploy SharePoint Server ASP.NET Machine Keys, RestArt Internet Information Services (IIS), and Microsoft Defender for EndPoint or equivalent solutions.
We also recommend integrating and enabling the anti-malware scan interface (AMSI) and Microsoft Defender (or similar solution) for all on-premises SharePoint deployments, and configuring AMSI to enable Full Mode.
“Additional actors can use these exploits to target unpublished SharePoint systems and further highlight the need for organizations to implement mitigation and security updates immediately,” Microsoft said.
The latest hacking campaign linked to China has been confirmed from Microsoft, but this is the second time a threat actor in Beijing has targeted Windows makers. In March 2021, the hostile population tracked as silk type (aka hafnium) was linked to a mass extraction activity that utilized multiple Then-Zero-Days on Exchange servers.
Earlier this month, 33-year-old Chinese citizen Xu Zewei was arrested in Italy and charged with carrying out a cyberattack on American organizations and government agencies by weaponizing a flaw in Microsoft Exchange Server, which has become known as Proxylogon.
