A new wave of cyberattacks is exploiting critical flaws in on‑premises Microsoft SharePoint servers, enabling a sophisticated threat actor known as Storm 2603 to deploy dual ransomware campaigns.
The Emerging Threat
Since mid‑July 2025, Microsoft and industry researchers have confirmed that several vulnerabilities – specifically CVE‑2025‑49704 and CVE‑2025‑49706 (known collectively with bypass flaws as “ToolShell”) – are being weaponized against SharePoint 2016, 2019, and Subscription Edition. Cloud‑based SharePoint Online is unaffected.
The Chinese‑linked group Storm 2603 is leveraging these flaws to deploy Warlock and LockBit ransomware, using a custom command‑and‑control infrastructure dubbed AK47 C2. This framework includes HTTP‑based (AK47HTTP) and DNS‑based (AK47DNS) components, enabling remote execution and persistence via a spinstall0.aspx web shell.
Check Point Research notes that Storm 2603 has employed DNS‑tunneling backdoors, DLL hijacking via legitimate utilities like 7z.exe, and the BYOVD method to disable endpoint protections. These methodologies mark a complex hybrid of espionage and ransomware techniques.
Scope & Impact
Security firms estimate that over 400 organizations across APAC, Latin America, Europe, and the U.S. have been breached. Victims include government agencies, higher‑education institutions, healthcare providers, telecom operators, and critical infrastructure entities.
The attack chain typically entails:
- Reconnaissance and vulnerability scanning targeting ToolPane.aspx endpoints;
- Auth‑bypass remote code execution to drop web shells;
- Credentials harvesting (e.g., Mimikatz via LSASS memory);
- Lateral movement using PsExec, WMI, and GPO manipulation to distribute ransomware across networks.
Urgent Mitigation Measures
Microsoft has issued security updates in two waves: an initial patch in early July and a broader update after bypass techniques emerged (covering CVE‑2025‑53770 and CVE‑2025‑53771).
Organizations with on‑premises SharePoint installations must take immediate action:
- Apply all available patches for SharePoint Server Subscription, 2019, and 2016.
- Enable Antimalware Scan Interface (AMSI) in full mode and deploy Microsoft Defender Antivirus or equivalent.
- Rotate ASP.NET machine keys, restart IIS services, monitor ToolPane.aspx and spinstall0.aspx endpoints, and integrate Endpoint Detection & Response tools.
Experts warn these attacks are intensifying and unlikely to subside until fully mitigated.
Conclusion
Storm 2603’s rapid transition from espionage-focused intrusion to ransomware deployment illustrates a dangerous evolution of threat actor capabilities. The complexities of the attack chain – combining zero‑day exploitation, hybrid malware frameworks, and persistence techniques – underline the need for an urgent, layered defence approach.
Enterprises must treat this as a watershed moment: every on‑premises SharePoint system represents a potential entry vector for devastating cyberattacks unless properly secured.
About COE Security
At COE Security, we provide comprehensive cybersecurity solutions across key industries including finance, healthcare, telecom, higher education, critical infrastructure, and manufacturing. Our service offerings span:
- Vulnerability assessments and patch management
- Endpoint protection and EDR integration
- Threat hunting, SIEM rule development, and incident response
- Compliance advisory for NIS 2, GDPR, HIPAA, and other mandates
In light of the Storm 2603 campaign, COE Security is helping clients by:
- Conducting accelerated vulnerability audits for SharePoint infrastructures
- Deploying detection and response tooling focused on ToolShell and AK47 C2 indicators
- Designing playbooks for lateral movement detection, machine‑key changes, and web shell removal
- Ensuring regulatory compliance while restoring operational resilience