A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
"Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives," the company said in a Wednesday report.
"Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.
After breaching the victims' networks, Storm-2603 operators use the Mimikatz hacking tool to extract plaintext credentials from LSASS memory.
They then move laterally with PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI), and modifying Group Policy Objects (GPOs) to deliver Warlock ransomware across compromised systems.
"Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in our blog," Microsoft also warned.
Storm-2603 ransomware attack flow (Microsoft)
Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities.
Since then, Eye Security CTO Piet Kerkhofs told BleepingComputer that the number of breached entities is much larger, with "most of them already compromised for some time already." According to the cybersecurity company's statistics, the attackers have so far infected at least 400 servers with malware and breached 148 organizations worldwide.
... continue reading