China-linked hackers hit SharePoint servers with ransomware as Microsoft confirms zero-day exploit attacks

 Microsoft named a new front in ongoing ransomware attacks – SharePoint servers. Security teams face a surge of breaches after a Chinese hacking group, Storm-2603, began leveraging patched zero-day vulnerabilities in SharePoint deployments last week.

Warlock and Lockbit ransomware are now turning up on compromised systems, striking organizations around the world. Microsoft tracked over 420 SharePoint servers left exposed online, and Shadowserver says most remain vulnerable even after patches were dropped for the ToolShell exploit chain.

Once Storm-2603 operators get inside, they run tools like Mimikatz to pull user credentials directly from memory. They move across networks using PsExec and Impacket, modify Group Policy, and hit machines with Warlock ransomware after just a few steps. Microsoft’s report lays out the attack pattern and urges anyone running on-premises SharePoint to update immediately.

Other recent Microsoft news –

• Microsoft’s 2025 Responsible AI Report Shows Deeper Governance and Global Reach
• Europe Calls Out US Tech After Microsoft Bars ICC Prosecutor’s Email
• Microsoft’s Edge for Business Wants to Lock Down Your Phone, Not Just Your Laptop

Eye Security reports that the campaign has already infected at least 400 servers and breached 148 organizations. Victims include federal agencies, the US National Nuclear Security Administration among them, along with the Department of Education, the Rhode Island General Assembly, Florida’s revenue department, and national governments in Europe and the Middle East.

CISA flagged the related CVE-2025-53770 flaw for immediate patching and warned government agencies to secure systems within a day.

Researchers say some servers have been compromised for weeks. While Microsoft hasn’t put a number on sensitive data loss, the scale and timing show attackers moved fast once exploits surfaced.

Storm-2603’s playbook: scan for unpatched systems, use fresh holes to move in, grab credentials, redeploy tools, and spread ransomware with a few PowerShell commands. Microsoft’s guidance hasn’t tracked any refunds, just a blunt call to install updates quickly and follow toughened mitigation steps from its blog.

You may also be interested to read –

• How to Use Google Authenticator
• How to Open Control Panel in Windows 11
• Is Temu a Scam or Just Too Good to Be True?