In mid‑2025, Microsoft and cybersecurity firms disclosed that a previously lesser‑known threat actor, designated Storm‑2603, has been leveraging zero-day and patch‑bypass vulnerabilities in on‑premises SharePoint servers to deploy ransomware and steal cryptographic keys. Security Affairs+5Microsoft+5Malpedia+5

Unlike more established threat groups, Storm‑2603’s motives, structure, and long‑term goals are still somewhat opaque. It is closely observed now because of its use of advanced techniques and its apparent pivot into ransomware deployment within a broader exploit campaign affecting multiple organizations globally. Infosecurity Magazine+3Microsoft+3Malpedia+3

This article collects what is known so far: attribution, tactics, campaign details, and mitigation guidance.

Attribution & Profile

Chinese Nexus, but Unclear Links

• Microsoft tracks Storm‑2603 with moderate confidence as a China‑based threat actor. However, it explicitly states that no definitive link has been established between Storm‑2603 and other known Chinese Advanced Persistent Threat (APT) groups. The Hacker News+4Microsoft+4Malpedia+4

• The “Storm” prefix suggests that Microsoft views this actor as a group in development or a new activity cluster rather than a long‑standing, high-confidence, state‑sponsored actor. Tom\\\'s Hardware+2Infosecurity Magazine+2

• On Malpedia, Storm‑2603 is tracked with minimal associated malware families, and its objectives remain uncertain. Malpedia

Past Ransomware Usage

• Microsoft has observed Storm‑2603 deploying both Warlock and LockBit ransomware in prior incidents. The Hacker News+3Microsoft+3Infosecurity Magazine+3

• In the most recent campaigns, the focus has been on Warlock ransomware, especially in the context of exploiting SharePoint vulnerabilities. Security Affairs+3The Hacker News+3Microsoft+3

The dual behavior—espionage/adversarial infrastructure access combined with ransomware—raises the possibility that Storm‑2603 might be a hybrid actor or one that alternates between state‑oriented goals and financially motivated operations.

The ToolShell / SharePoint Exploit Campaign

Storm‑2603’s recent activity is embedded in a wider campaign leveraging bugs in on‑premises SharePoint servers, often referred to in the security community as the “ToolShell” exploit chain. The Hacker News+5Infosecurity Magazine+5Microsoft+5

Core Vulnerabilities & Exploit Chain

• The campaign primarily exploits CVE-2025-49706 (spoofing vulnerability) and CVE-2025-49704 (remote code execution). Dark Reading+5Microsoft+5Infosecurity Magazine+5

• Attackers also use bypass variants of those vulnerabilities — CVE-2025-53770 and CVE-2025-53771 — to circumvent patches Microsoft released. The Hacker News+5Microsoft+5Infosecurity Magazine+5

• Initial exploitation often occurs via POST requests to the ToolPane endpoint in SharePoint, allowing authentication bypass and remote code execution. The Hacker News+3The Hacker News+3Security Affairs+3

• Once exploited, attackers install a web shell, commonly named spinstall0.aspx, which can be renamed (spinstall.aspx, spinstall1.aspx, etc.) to help evade detection. Security Affairs+4The Hacker News+4Infosecurity Magazine+4

• The web shell facilitates extraction of cryptographic MachineKey material (i.e. cryptographic keys used in ASP.NET / SharePoint) to help maintain later persistence even after patching. The Hacker News+2Security Affairs+2

Attack Life Cycle & Tactics

Once initial access is obtained, Storm‑2603 applies a multi-stage attack progression. Microsoft and other security researchers have documented the following steps:

1. Reconnaissance and Enumeration

   • Commands such as whoami to confirm context and privileges. Infosecurity Magazine+3Microsoft+3The Hacker News+3

   • Use of cmd.exe and batch scripts to explore the environment. The Hacker News+1

2. Disabling Protection / Defensive Evasion

   • Abusing services.exe to modify registry settings that disable Microsoft Defender or related protections. Dark Reading+3Microsoft+3The Hacker News+3

   • Manipulating IIS and .NET assemblies to load malicious code under the guise of normal components. Microsoft+2Infosecurity Magazine+2

3. Persistence Mechanisms

   • Maintaining the web shell itself (spinstall0.aspx variants). Infosecurity Magazine+3The Hacker News+3The Hacker News+3

   • Creation of scheduled tasks to re-execute payloads. Microsoft+2Infosecurity Magazine+2

   • Manipulating Internet Information Services (IIS) to load malicious .NET assemblies or modules. Microsoft+2Infosecurity Magazine+

4. Credential Access and Lateral Movement

   • Using Mimikatz to dump credentials from LSASS memory. Infosecurity Magazine+3Microsoft+3The Hacker News+3

   • Using tools such as PsExec, Impacket, and WMI to move laterally and execute commands on other systems. Security Affairs+4Microsoft+4The Hacker News+4

5. Ransomware Deployment / Objective Execution

   • Modifying Group Policy Objects (GPOs) to roll out the ransomware payload en masse across compromised environments. Security Affairs+3Microsoft+3The Hacker News+3

   • Deploying Warlock ransomware (and potentially LockBit in less recent incidents) as the final payload. Malpedia+4Microsoft+4Infosecurity Magazine+4

Because of the cryptographic key extraction, even environments that install patches may remain vulnerable if keys are not rotated. Microsoft+2Security Affairs+2

Scale & Impact

• At least 400 organizations are believed to have been affected in confirmed attack waves between July 17 and July 21, 2025. The Hacker News+3SC Media+3The Guardian+3

• High-profile victims include the U.S. National Nuclear Security Administration, the U.S. Department of Education, U.S. state revenue departments, and state legislatures. Microsoft+3SC Media+3Help Net Security+3

• Many of the targeted SharePoint servers were internet-facing and remained unpatched or improperly configured, making them ideal for external exploitation. Infosecurity Magazine+4Microsoft+4Dark Reading+4

Because the campaign is ongoing and evolving, the full scope of data exfiltration, financial losses, or long-term impact is not yet known.

Challenges & Unknowns

While the campaign has been extensively documented, several uncertainties remain:

• Motivation & Strategy: It’s unclear whether Storm‑2603 is primarily financially motivated, state-directed, or hybrid in nature. Microsoft states it is \\\"currently unable to confidently assess the threat actor’s objectives.\\\" Malpedia+3Microsoft+3Infosecurity Magazine+3

• Organizational Structure & Affiliations: No definitive affiliations to other known Chinese APTs have been established. Microsoft+2Malpedia+2

• Persistence Post-Patching: The theft of MachineKey data means attackers might retain access even after patches are applied unless the keys and relevant services are rotated and restarted properly. The Hacker News+3Microsoft+3Security Affairs+3

• Long-Term Campaign Evolution: It is not fully known how Storm‑2603 will evolve their tactics, or whether additional zero-days and bypass techniques will emerge.