storm-2603

Storm-2603: SharePoint Zero-Day Exploitation and Warlock Ransomware—A Hybrid Financial and Espionage Threat

Storm-2603 is a China-based, financially motivated threat actor first identified in early 2025, responsible for a global campaign exploiting critical Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704).

Wes

Wes

14 min read
Storm-2603: SharePoint Zero-Day Exploitation and Warlock Ransomware—A Hybrid Financial and Espionage Threat
When your ‘collaboration’ tool collaborates with Beijing and your backups.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Trying your best, to get AI to build a GOOD report for you??

  • generate a report on Storm-2603 and warlock ransomware

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

    • Storm-2603, a China-based financially motivated threat actor, is exploiting Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704) to gain initial access, deploy web shells, and distribute Warlock ransomware across global critical sectors.
    • Immediate patching, hardening, and advanced EDR/SIEM monitoring are essential to mitigate risk and detect post-exploitation activity.
    • Warlock ransomware, built on the Chaos framework, is deployed via Group Policy Object (GPO) modifications, leveraging AES-256/RSA encryption and network-wide propagation.
    • Organizations must implement air-gapped, immutable backups and validate recovery processes to ensure resilience against ransomware impact.
    • Storm-2603’s operations blend ransomware extortion with espionage-like tactics (credential dumping, lateral movement), indicating probable overlap with Chinese APTs (APT27/APT31) and raising significant geopolitical and national security concerns.
    • Cross-sector threat intelligence sharing and zero-trust architectures are recommended to counter evolving hybrid threats.

Executive Summary

Storm-2603 is a China-based, financially motivated threat actor first identified in early 2025, responsible for a global campaign exploiting critical Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704). The group leverages web shells (e.g., spinstall0.aspx) for persistence and command execution, followed by credential dumping (Mimikatz), lateral movement (PsExec, Impacket), and disabling endpoint protections via registry modifications.

Since July 2025, Storm-2603 has deployed Warlock ransomware—built on the Chaos framework—across compromised networks using GPO modifications, resulting in rapid, network-wide data encryption and ransom demands. Over 400 organizations have been impacted, including U.S. federal agencies, education, energy, telecommunications, and emerging healthcare targets.

Storm-2603’s hybrid operational model combines ransomware monetization with espionage-like tradecraft, suggesting probable but unconfirmed links to Chinese state-backed APTs (APT27/Linen Typhoon, APT31/Violet Typhoon). This dual-use approach complicates attribution and response, amplifying geopolitical risk and challenging traditional cyber defense paradigms.

Recommended mitigations include immediate SharePoint patching and hardening, deployment of advanced EDR/SIEM solutions for early detection of web shells, credential dumping, and GPO changes, and implementation of validated, air-gapped, and immutable backup strategies. Organizations should prioritize threat hunting for MITRE ATT&CK techniques T1190, T1505.003, T1003, T1484.001, and T1486, and monitor for indicators such as spinstall0.aspx artifacts and anomalous GPO activity.

The evolving threat landscape underscores the need for rapid patch management, cross-sector intelligence sharing, and adoption of zero-trust architectures to defend against state-tolerated ransomware campaigns and hybrid financial-espionage actors.

Research & Attribution

Historical Context

Storm-2603 is a China-based, financially motivated threat actor that emerged prominently in 2025. It exploits critical zero-day vulnerabilities in Microsoft SharePoint servers, notably CVE-2025-53770 ("ToolShell"), CVE-2025-49706 (spoofing), and CVE-2025-49704 (remote code execution), to gain initial access to unpatched on-premises SharePoint environments. The group uses web shells (e.g., spinstall0.aspx) for persistence and command execution and deploys ransomware payloads including Warlock ransomware and previously LockBit ransomware. The campaign has compromised over 400 victims worldwide, spanning government, education, energy, and telecommunications sectors.

Warlock ransomware is a newly observed ransomware family linked to Storm-2603 operations. It is deployed post-exploitation of SharePoint vulnerabilities and is characterized by encryption of victim data, ransom note deployment, and network-wide distribution via Group Policy Objects (GPOs). Warlock is built on the Chaos ransomware framework and uses AES-256 and RSA encryption algorithms.

Timeline

  • Early 2025: Storm-2603 identified exploiting SharePoint zero-day vulnerabilities.
  • July 18, 2025: Storm-2603 begins deploying Warlock ransomware in active campaigns.
  • July 20, 2025: CISA issues alerts on SharePoint vulnerabilities and ransomware deployment.
  • July 22, 2025: Microsoft publicly discloses active exploitation and ransomware deployment by Storm-2603.
  • July 23, 2025: Reports confirm over 400 victims, including U.S. federal agencies, affected by Storm-2603 and Warlock ransomware.
  • July 24, 2025: Security advisories and IOC sharing published by multiple vendors.

Origin

Storm-2603 is attributed to a China-based financially motivated threat actor. Microsoft Threat Intelligence classifies it as an emerging "Storm" group distinct from but operating in the same ecosystem as Chinese state-backed groups Linen Typhoon (APT27) and Violet Typhoon (APT31). While Linen Typhoon and Violet Typhoon focus on espionage and intellectual property theft, Storm-2603 combines ransomware deployment with exploitation of enterprise software vulnerabilities for financial gain.

Countries Targeted

  1. United States – Targeting government agencies and critical infrastructure sectors, including federal entities.
  2. China – Origin country; limited public data on internal targeting.
  3. European countries – Targeting education, energy, and telecommunications sectors.
  4. Southeast Asia – Inferred targeting of regional infrastructure.
  5. Middle East – Limited targeting noted in telecommunications.

Sectors Targeted

  1. Government – High-value targets including U.S. federal agencies.
  2. Education – Universities and research institutions.
  3. Energy – Critical infrastructure operators.
  4. Telecommunications – Providers and infrastructure.
  5. Healthcare – Emerging targeting observed.

Motivation

Storm-2603 is primarily financially motivated, leveraging ransomware deployment to monetize access gained through exploitation of SharePoint vulnerabilities. The group also exhibits espionage-like tactics such as credential harvesting and lateral movement, suggesting dual objectives of intelligence gathering and financial extortion.

Attack Types

  • Exploitation of Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704) for initial access. [MITRE T1190]
  • Deployment of IIS backdoors and web shells (spinstall0.aspx) for persistence and command execution. [MITRE T1505.003]
  • Credential dumping using Mimikatz to extract credentials from LSASS memory. [MITRE T1003]
  • Lateral movement using PsExec and Impacket toolkit. [MITRE T1021]
  • Disabling endpoint protections by modifying Windows Registry via services.exe. [MITRE T1112]
  • Deployment of Warlock ransomware via Group Policy Object (GPO) modifications. [MITRE T1484.001]
  • Use of batch scripts and .NET assemblies for persistence and execution.
  • Data encryption for impact using Warlock ransomware. [MITRE T1486]

Technical Characteristics of Warlock Ransomware

  • Built on the Chaos ransomware framework.
  • Uses AES-256 and RSA encryption algorithms to encrypt victim files.
  • Encrypts files with randomized extensions.
  • Drops ransom notes demanding payment for decryption keys.
  • Uses web protocols for command and control communications. [MITRE T1071.001]
  • Distributed across networks via GPO modifications to maximize impact.
  • Employs service execution for payload deployment. [MITRE T1569.002]

Known Aliases

  • Storm-2603 (Microsoft designation)

Storm-2603 may be associated with Chinese state-backed groups Linen Typhoon (APT27) and Violet Typhoon (APT31) based on shared exploitation of SharePoint vulnerabilities. However, Storm-2603 is distinct in its ransomware deployment focus. Attribution is based on observed TTP overlaps and infrastructure but remains qualified as probable association rather than confirmed direct linkage.

Similar Threat Actor Groups

  • LockBit Ransomware Group: Similar ransomware deployment tactics in enterprise environments.
  • Scattered Spider (UNC3944): Financially motivated eCrime actor using social engineering and ransomware.

Breaches Involving This Threat Actor

No detailed public disclosures of specific breaches beyond the reported 400+ victims affected by Storm-2603's SharePoint exploitation and Warlock ransomware deployment as of July 2025.

Geopolitical Implications

Storm-2603’s hybrid profile combining ransomware operations with espionage-like tactics reflects a complex threat landscape where financially motivated cybercrime and state-aligned objectives intersect. The targeting of critical infrastructure and government sectors, including U.S. federal agencies, highlights significant national security risks and potential geopolitical tensions. The use of widely deployed enterprise software vulnerabilities amplifies the global impact and complicates defense efforts.

The suspected Chinese origin and operational overlap with known Chinese APTs suggest possible state tolerance or indirect sponsorship, raising concerns about the use of ransomware as a tool for economic disruption and influence. This dual-use threat actor challenges traditional distinctions between cybercrime and nation-state operations.

Intersection of Storm-2603 and Warlock Ransomware

Storm-2603 is directly linked to the deployment of Warlock ransomware in campaigns exploiting SharePoint vulnerabilities. The group uses web shells and lateral movement tools to establish persistence and spread within compromised networks before deploying Warlock ransomware via Group Policy Objects. This operational intersection indicates a coordinated ransomware campaign leveraging advanced exploitation and post-exploitation tradecraft.

Summary Timeline of Significant Incidents

  • Early 2025: Storm-2603 identified exploiting SharePoint zero-day vulnerabilities.
  • July 18, 2025: Deployment of Warlock ransomware begins in active campaigns.
  • July 20, 2025: CISA issues alerts on SharePoint vulnerabilities and ransomware deployment.
  • July 22, 2025: Microsoft publicly discloses active exploitation and ransomware deployment.
  • July 23, 2025: Reports confirm over 400 victims, including U.S. federal agencies.
  • July 24, 2025: Security advisories and IOC sharing published by multiple vendors.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)

Read more