As cybersecurity experts continue analyzing the fallout from a devastating series of attacks that began in mid-July 2025, Chinese state-linked threat actors have successfully compromised more than 400 organizations worldwide through sophisticated exploitation of SharePoint vulnerabilities, deploying Warlock ransomware and other malicious payloads across critical infrastructure sectors.
Storm-2603, identified as the primary China-based group orchestrating these attacks, has exploited multiple SharePoint vulnerabilities including CVE-2025-53770, CVE-2025-53771, CVE-2025-49706, and CVE-2025-49704 to gain unauthorized access to sensitive systems. Microsoft tracks these “Storm” groups as factions actively developing capabilities, linking them directly to Chinese government interests focused on espionage and intellectual property theft.
Chinese state-linked Storm-2603 exploited four critical SharePoint vulnerabilities to compromise sensitive systems across hundreds of global organizations.
The attack methodology, dubbed “ToolShell” by security researchers, involves chaining vulnerabilities to bypass identity controls and establish privileged access through custom web shell payloads such as spinstall0.aspx. Once inside target networks, attackers execute commands, validate privileges, disable Microsoft Defender protections, and maintain persistence using batch scripts and malicious .NET assemblies.
Multiple US government agencies have fallen victim to these coordinated attacks, including the Departments of Energy, Homeland Security, Health and Human Services, Education, and the National Nuclear Security Administration.
The California Independent System Operator also confirmed compromise, highlighting the broad scope targeting energy, health, education, government, defense, technology, and human rights organizations.
Warlock ransomware represents the culmination of these intrusion campaigns, deployed after attackers modify group policy settings on compromised SharePoint servers. Storm-2603 has previously utilized both Warlock and LockBit ransomware variants, indicating an evolving toolkit designed to maximize financial impact during disrupting critical operations.
Additional China-linked groups, Linen Typhoon and Violet Typhoon, have concurrently exploited similar SharePoint vulnerabilities, suggesting coordinated efforts across multiple threat actor teams. These groups maintain long-term access through scheduled tasks, registry tampering to disable security protections, and Machine Keys theft that persists even after security patches are applied.
Microsoft has released security updates addressing these SharePoint vulnerabilities across 2016, 2019, and Subscription Edition platforms.
However, the rapid global expansion of attacks demonstrates the critical urgency organizations face in implementing extensive defensive measures against sophisticated state-sponsored cyber operations.
