Verticals Targeted: Government, Defense, NGOs, Think Tanks, Education, Media, Financial, Healthcare
Regions Targeted: US, Europe, East Asia, Africa
Related Families: Warlock, LockBit
Executive Summary
Microsoft has disclosed active exploitation of critical vulnerabilities in on-premises SharePoint servers by Chinese threat actors, urging immediate patching and additional mitigations to prevent unauthorized access and data theft.
Key Takeaways
- Chinese nation-state actors Linen Typhoon and Violet Typhoon, along with Storm-2603, are exploiting authentication bypass and remote code execution flaws to deploy web shells on internet-facing SharePoint servers.
- Exploited vulnerabilities include CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, collectively known as ToolShell.
- Post-exploitation involves stealing ASP.NET MachineKeys via malicious scripts, enabling further persistence and potential ransomware deployment.
The Activity
Microsoft and Palo Alto’s Unit 42 highlighted ongoing attacks against on-premises SharePoint servers leveraging a spoofing vulnerability and a remote code execution flaw. These issues, exclusive to on-premises deployments and not impacting SharePoint Online, have been integrated into the toolkits of multiple China-based threat actors.
Exploitation begins with reconnaissance via POST requests to the ToolPane endpoint, allowing unauthenticated attackers to bypass authentication and execute code remotely. Successful compromises result in the deployment of a web shell, which facilitates the extraction of sensitive MachineKey data. This key material, retrieved through GET requests, supports persistence and evasion tactics.
Attribution points to Chinese threat actor groups Linen Typhoon and Violet Typhoon, and Storm-2603, a China-linked group observed stealing MachineKeys and deploying Warlock and Lockbit ransomware. The threat actors’ current objectives remain unclear. Attacks were first noted around July 7, 2025, with rapid adoption expected among additional actors.
CVEs
The vulnerabilities, collectively known as ToolShell include:
- CVE-2025-49706: A spoofing vulnerability enabling post-authentication remote code execution on affected SharePoint servers.
- CVE-2025-49704: A remote code execution vulnerability allowing attackers to run arbitrary code without authentication.
- CVE-2025-53770: A ToolShell authentication bypass and remote code execution flaw related to CVE-2025-49704, permitting unauthorized command execution.
- CVE-2025-53771: A ToolShell path traversal vulnerability serving as a security bypass for CVE-2025-49706, facilitating directory traversal and file access.
Who is Linen Typhoon?
Linen Typhoon, also known as APT27, Emissary Panda, Bronze Union, LuckyMouse, and Iron Tiger, is a China nexus threat actor group active since at least 2013. Linen Typhoon employs spear-phishing to gain initial access, often using malicious email attachments or links to deliver custom malware. The group exploits vulnerabilities in public-facing applications, such as SharePoint servers, to infiltrate networks. They use living-off-the-land techniques, leveraging legitimate system tools like PowerShell for execution and persistence. Linen Typhoon conducts credential dumping to escalate privileges and move laterally within networks. They deploy web shells to maintain persistent access and exfiltrate sensitive data. The group also uses custom backdoors like ZxShell for command and control.
Linen Typhoon primarily targets government agencies, military organizations, and defense contractors in the United States, Europe, and Asia. They focus on sectors including aerospace, technology, and telecommunications for espionage purposes. Recent activity includes targeting U.S. government entities, such as the Department of Education and Florida Department of Revenue, as well as critical infrastructure in the Indo-Pacific region. Linen Typhoon is widely believed to be sponsored by the Chinese government, with operations aligned with the interests of the Chinese Communist Party (CCP). The group’s activities support state-level espionage, focusing on intelligence collection to advance China’s geopolitical and economic objectives.
Who is Violet Typhoon?
Violet Typhoon, also known as APT31, ZIRCONIUM, Bronze Vinewood, Judgment Panda, and Red Keres, is a China nexus threat actor group active since at least 2015. Violet Typhoon employs spear-phishing campaigns with malicious attachments or URLs to gain initial access. They exploit vulnerabilities in public-facing applications, notably Microsoft SharePoint, to deploy web shells for persistence. The group uses living-off-the-land techniques, leveraging tools like PowerShell and Windows Management Instrumentation for execution and discovery. They conduct credential harvesting to escalate privileges and move laterally, often targeting Active Directory databases. Violet Typhoon deploys custom malware and uses stolen credentials to maintain long-term access while exfiltrating sensitive data via cloud services.
Violet Typhoon focuses on espionage, targeting government officials, military personnel, non-governmental organizations, think tanks, and sectors like higher education, media, finance, and healthcare in the United States, Europe, and East Asia. Recent attacks include exploitation of SharePoint vulnerabilities affecting U.S. agencies like the Department of Education and the National Nuclear Security Administration. Violet Typhoon is assessed to be a Chinese state-sponsored group, operating on behalf of the Chinese Communist Party. Their activities align with China’s intelligence-gathering objectives, particularly targeting entities that provide geopolitical or competitive advantages.
Who is Storm-2603?
Storm-2603 is assessed to be a China-based threat actor, with no confirmed ties to specific Chinese government entities such as the CCP or military intelligence. Storm-2603 exploits vulnerabilities in on-premises SharePoint servers, notably CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution), to gain initial access. They deploy web shells like spinstall0.aspx for persistence and execute commands via the w3wp.exe process. The group uses cmd.exe and batch scripts for deeper network penetration, abuses services.exe to disable Microsoft Defender via registry modifications, and employs Mimikatz to harvest credentials from LSASS memory. Storm-2603 creates scheduled tasks and manipulates Internet Information Services (IIS) components to launch suspicious .NET assemblies.
They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. Additionally, they steal ASP.NET MachineKeys to maintain access post-patching. Storm-2603 targeted organizations with unpatched on-premises SharePoint systems globally, affecting over 400 victims. Their attacks focus on financial gain through ransomware deployment.
What is Warlock Ransomware?
The Warlock ransomware operation emerged in June 2025 as a ransomware-as-a-service (RaaS) advertised on a Russian cybercrime forum and quickly evolved into a notable threat. It is tied to the China-based actor tracked as Storm-2603. The threat actors rely on Microsoft SharePoint zero-day vulnerabilities for initial access, deploy web shells for persistence, steal credentials, move laterally, and use double-extortion tactics involving data exfiltration and limited encryption to coerce payments. Warlock bears similarities to Black Basta, and Warlock has claimed responsibility for attacks previously attributed to Black Basta. PolySwarm analysts consider Warlock ransomware to be an emerging threat. In their ransom note, Warlock refers to themselves as “a professional hack organization.”
Figure 1 - Our analysts obtained a sample of Warlock ransomware. The image above shows an excerpt of the Warlock ransomware ransom note, extracted from Triage.
Figure 2 - A screenshot of Warlock ransomware’s leaks site showing some of their alleged victims.
Mitigation
To mitigate this activity, apply the latest SharePoint Server updates: KB5002768 for Subscription Edition, KB5002754 and KB5002753 for 2019, and KB5002760 and KB5002759 for 2016. Enable AMSI in Full Mode on all servers, deploy Defender for Endpoint, and rotate ASP.NET MachineKeys followed by IIS restarts. If AMSI cannot be enabled, isolate servers from the internet or use authenticated proxies. Organizations must prioritize patching and monitoring to counter these persistent threats, as unpatched systems remain prime targets for state-sponsored espionage and data exfiltration.
IOCs
PolySwarm has multiple samples associated with this activity.
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf
b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0
c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d
4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95
You can use the following CLI command to search for all ToolShell related samples in our portal:
$ polyswarm link list -t ToolShell
PolySwarm also has a sample of Warlock ransomware and is tracking this ransomware family.
da8de7257c6897d2220cdf9d4755b15aeb38715807e3665716d2ee761c266fdb
You can use the following CLI command to search for all Warlock samples in our portal:
$ polyswarm link list -f Warlock
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
