This article was originally published on TechRepublic.
Recent attacks targeting Microsoft SharePoint have escalated, with threat actors now deploying ransomware on vulnerable systems, according to Microsoft. This surge in malicious activity follows the release of multiple SharePoint security patches in July.
An update published to Microsoft’s blog reads, in part: “Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware.”
Detailing the attack
At least three threat groups believed to be affiliated with China have been exploiting publicly known vulnerabilities in Microsoft SharePoint, according to Microsoft. These include the Linen Typhoon, Violet Typhoon, and Storm-2603.
The attackers exploited multiple weaknesses in on-premises SharePoint servers — including remote code execution (RCE), credential spoofing, and improper authentication — to gain unauthorized access. Once inside, they were able to infiltrate internal file systems and extra sensitive data that could be used for surveillance, impersonation, or extortion.
Microsoft issued patches to address the affected vulnerabilities — CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 — in two separate rounds of security patches in early and mid-July. Despite these efforts, the company warned that ransomware is now being deployed on unpatched systems, including by Storm-2603.
Who is Storm-2603?
While Linen Typhoon and Violet Typhoon are already known to be China-based, Microsoft said it has “medium confidence” that Storm-2603 originates from China.
Regardless of where they’re located, Storm-2603 is known for their ransomware attacks. They have used LockBit and Warlock ransomware in the past, with the latter also being used for their most recent attacks against SharePoint.
What is Warlock ransomware?
According to Watchguard’s ransomware tracker, Warlock is classified as crypto-ransomware and was first detected in June 2025. As of this writing, there are nearly 20 known victims across the US, Canada, Germany, China, and several other countries.
Microsoft Threat Intelligence identified several indicators of compromise (IOCs) that SharePoint administrators should monitor. These include a known IP address of 65.38.121.198, a file named IIS_Server_dll.dll that serves as a backdoor, and a series of web shells that are used by Storm-2603 to execute remote commands on the server.
How to protect your system from Storm-2603 and Warlock
Given the stealthy nature of Storm-2603 and their ransomware attacks, Microsoft recommends installing the latest security patches, using strong passwords, testing security configurations on a regular basis, and continuously monitoring your SharePoint server for any of the known IOC.
The company also recommends the use of tools within Microsoft Defender, such as Vulnerability Management, External Attack Surface Management (EASM), and an active subscription to Microsoft Defender XDR subscription.
SharePoint continues its battle against hackers
With multiple vulnerabilities disclosed, rapid patch rollouts, and now active ransomware deployments, July has been a critical month for SharePoint users and defenders. While Microsoft continues to issue security fixes, the emergence of new attack vectors suggests that determined adversaries will likely keep probing for weaknesses.
AI isn’t just a buzzword — it’s a weapon in the wrong hands. Learn how attackers are using it and how defenders can stay ahead.
