Microsoft Threat Intelligence in an updated warning said that China-based hackers, which it tracks as Storm-2603, has quickly pivoted and now exploiting unpatched on-premise SharePoint systems to deploy Warlock ransomware variant.
Researchers at Microsoft had initially observed this threat actor making attempts to steal MachineKeys leveraging the on-premises SharePoint vulnerabilities, CVE-2025-53770 and CVE-2025-53771. The threat actor used a malicious script “spinstall0.aspx,” which first retrieved the MachineKey data and then sent the results through a GET request, thereby enabling the theft of the key material.
In SharePoint Online, machine keys are used to secure and validate various features like view state, forms authentication and session state status. They ensure that data exchanged between the server and the client is trusted and hasn’t been tampered with. These keys are crucial for maintaining the integrity of web applications, especially in a web farm environment where multiple servers handle user requests.
Microsoft has earlier observed Storm-2603 deploying Warlock and Lockbit ransomware variants but the current objectives remain unclear.
The Attack Cycle
The pivot towards ransomware deployment first began on July 18, according to Microsoft. The hackers exploited internet-facing on-premises SharePoint server for initial access to the victim’s environment. They used the spinstall0.aspx payload for initial access. This initial access was used to execute the w3wp.exe process, which is responsible for handling web requests and executing web applications.
The attackers then executed a series of commands to understand the victim’s environment: whoami, for user context and validating privilege levels; cmd.exe and batch scripts for broader execution phases; and services.exe to disable Microsoft Defender protections through direct registry modifications.
For persistence, the attackers leveraged multiple mechanisms including the initial malicious web shell, scheduled tasks and manipulated the Internet Information Services (IIS) components to deliver suspicious .NET assemblies. These mechanism in tandem ensured persistence in victim’s environment without detection, even if initial vectors were remediated.
In the next stage of execution, the attackers used Mimikatz, an open source tool, to extract plaintext credentials. They specifically targeted the Local Security Authority Subsystem Service (LSASS) memory, for this.
The attacker further moved laterally using PsExec and the Impacket toolkit, whose commands were executed using Windows Management Instrumentation (WMI), the researchers noted.
In the final stage, Storm-2603 modified the Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.
Microsoft warned that, “additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems,” thus making its patching more urgent.
Also read: Zero-Day Vulnerability Hits Microsoft SharePoint, Urgent Patch Issued
There are nearly 424 internet-facing on-premises SharePoint servers that still remain unpatched, according to the internet scanning tool from Shadowserver Foundation. “We have shared SharePoint IPs confirmed vulnerable to CVE-2025-53770, CVE-2025-53771,” it said on X.
Unsurprisingly, most of the vulnerable IPs are from the U.S. with some from Russia, Iran, Germany and India.
