Microsoft revealed that one of the threat actors behind the aggressive exploitation of SharePoint flaws is unfolding Warlock ransomware With the target system.
The tech giant said in an update shared on Wednesday that the findings are based on “an expanded analysis and threat intelligence from monitoring ongoing exploitation activities.” Storm-2603. ”
The threat actors due to financially motivated activities are suspected of being a China-based threat actor who has been known to drop warlocks and rock bit ransomware in the past.
The attack chain involves exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting an accrued on-premises SharePoint server to deploy a spinstall 0.aspx web shell payload.
“This initial access is used to run command execution using the W3WP.EXE process that supports SharePoint,” Microsoft said. “Storm-2603 starts a set of discovery commands, including Whoami, to enumerate the user’s context and verify the privilege level.”
Attacks are characterized by using CMD.exe and batch scripts when threat actors dig deep into the target network, but Services.exe is abused to change the Windows registry to turn off Microsoft Defender protection.
In addition to leverage to continue Spinstall0.aspx, it has been observed that Storm-2603 creates scheduled tasks and modifys Internet Information Services (IIS) components to launch what Microsoft described as a suspicious .NET assembly. These actions are designed to ensure continuous access, even when victims take steps to connect the initial access vector.
Other notable aspects of the attack include the deployment of Mimikats to target local security station subsystem services (LSASS) memory to harvest credentials, followed by lateral movements using PSEXEC and Impacket Toolkit.
“We’re observing Storm-2603 modifying Group Policy Objects (GPOs) to distribute Warlock ransomware in compromised environments,” Microsoft said.
As a mitigation, users are advised to follow the steps below –
- Upgrade to a supported version of your on-premises Microsoft SharePoint server
- Apply the latest security updates
- Make sure the anti-malware scan interface is turned on and it is configured correctly
- Deploy Microsoft Defender to an endpoint or equivalent solution
- Rotate the SharePoint Server ASP.NET machine key
- Restart IIS on all SharePoint servers using IISRESET.EXE (If you can’t enable AMSI, we recommend rotating the key and restarting IIS after installing a new security update)
- Implement incident response plans
The development has already claimed at least 400 victims as the SharePoint server flaws are under massive exploitation. Linen Timpon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups linked to malicious activities. China has denied the allegations.
“Cybersecurity is a common challenge facing all countries and needs to be addressed jointly through dialogue and cooperation,” said Guo Jiakun, spokesman for China’s Ministry of Foreign Affairs. “China will oppose and fight against hacking activities according to the law, and at the same time oppose smears and attacks against China under the excuses of cybersecurity issues.”
update
Cybersecurity firm ESET said it globally observed the US’s toolshell exploitation activities, which account for 13.3% of all attacks, according to telemetry data. Other prominent targets include the UK, Italy, Portugal, France and Germany.
“The victims of the Toolshell attacks include several high-value government organizations that have been targets for these groups for many years,” Slovak Company said. “The cats aren’t out of their bags now, so we hope that more opportunistic attackers will take advantage of the unearned system.”
Data from the checkpoint survey reveals that a large-scale exploitation effort is ongoing. As of July 24, 2025, over 4,600 compromise attempts have been detected in over 300 organizations around the world, including government, software, telecommunications, financial services, business services and consumer goods sectors.
“To our surprise, we see that attackers are leveraging known Ivanti EPMM vulnerabilities throughout the campaign,” the Checkpoint study said.
Analysis of withsecure’s toolshell attacks also reveals the deployment of Godzilla’s webshell, suggesting that the activity may have been linked to a previous campaign with no attribute threat actors in December 2024, which published the ASP.NET machine key in December 2024.
“One of the main goals of the current campaign is to steal the ASP.NET machine key and maintain access to SharePoint servers even after patching,” said a Finnish security vendor.
Furthermore, the attack opened the way for other payloads, such as:
- Collect information, system data and list of running processes
- Remoteexec, Run commands via cmd.exe and return execution responses to threat actors
- Starting shellcode within Asmloader, running process (IIS worker) or remote process
- A custom ASP.NET MachineKey Stealer similar to Spinstall0.aspx harvesting MachineKey components, along with machine name and username
- Bud Potato escalate privileges
“Their use and implementation suggest that Chinese-speaking threat actors are likely to be involved in this activity, but at this point we cannot make definitive attributions based solely on these indicators,” Withecure said.
Also, Fortinet Fortiguard Labs, which tracks the campaign, said the Toolshell exploit is being used to upload an ASP.NET web shell called GhostWebShell, designed for execution of any command via CMD.EXE and persistent access.
“Web Shell ‘GhostWebshell’ is a lightweight memory-resident command shell that cleverly abuses the interiors of SharePoint and ASP.NET for continued, execution, and advanced evasion, making it a formidable tool after an explosion.
The attack also comes with a tool called Keysiphon that works similar to the Spinstall0.aspx web shell payload. This is published in terms of capturing application verification and decryption keys along with system information, along with the selected encryption mode.
“By owning these secrets, attackers can forge authentication tokens, tamper with ViewState Macs for deisolation or data manipulation, and decrypt protected data within the same application domain,” Fortinet said.
(STORY was updated after publication to include new insights from ESET, Check Point Research, WithSecure and Fortinet.)
