A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
“Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.
“Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.”
After breaching the victims’ networks, Storm-2603 operators use the Mimikatz hacking tool to extract plaintext credentials from LSASS memory.
They then move laterally with PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI), and modifying Group Policy Objects (GPOs) to deliver Warlock ransomware across compromised systems.
“Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in our blog,” Microsoft also warned.
Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities.
Since then, Eye Security CTO Piet Kerkhofs told BleepingComputer that the number of breached entities is much larger, with “most of them already compromised for some time already.” According to the cybersecurity company’s statistics, the attackers have so far infected at least 400 servers with malware and breached 148 organizations worldwide.
CISA also added the CVE-2025-53770 remote code execution flaw, part of the same ToolShell exploit chain, to its catalog of vulnerabilities exploited in the wild, ordering US federal agencies to secure their systems within a day.
However, earlier this week, the Department of Energy confirmed that the National Nuclear Security Administration (the U.S. nuclear weapons agency) was breached in the ongoing Microsoft SharePoint attacks, although the agency has yet to find evidence that sensitive or classified information was compromised in the incident.
Bloomberg reported that the attackers have also hacked into systems at the US Department of Education, the Rhode Island General Assembly, and Florida’s Department of Revenue, as well as networks of European and Middle Eastern governments.
The Washington Post also reported that the Department of Health and Human Services’ National Institutes of Health (the U.S. medical research agency) was also breached.
Update July 24, 06:15 EDT: Revised story to make it clearer that Storm-2603 is a China-based threat actor.
CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value.
This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.
