A group of hackers believed to be connected to China is exploiting unpatched vulnerabilities in SharePoint Server software to install Warlock ransomware, a blackmail attack capable of encrypting entire systems, Microsoft has issued an urgent alert.

1753426375187.png

According to data from Microsoft’s security research group, the attack was part of a campaign by the group Storm-2603, a financial-motivated attack group that has been found to have distributed both Warlock and LockBit ransomware in the past.

This campaign began by exploiting two dangerous vulnerabilities in the SharePoint Server:

  • CVE – 2025-49706: Secure Anonymizer flaw
  • CVE – 2025-49704: Remote Code Execution (RCE) vulnerability

When exploited successfully, hackers will:

  1. Install a malicious web shell (spinstall0.aspx) on your server.
  2. Use commands via w3wp.exe (SharePoint specific) to check permissions (whoami) and extend the invasion range.
  3. Turn Microsoft Defender off by editing the Registry through “services.exe.”
  4. Scheduling Task, modifying IIS components to plant.NET malicious code, maintaining long – term access.
  5. Use Mimikatz to steal passwords from the LSASS (Lost System Encrypted Space) memory.
  6. Side movement through PsExec and Impacket.
  7. Eventually, they modified Group Policy to release the Warlock ransomware system-wide.

All organizations using Microsoft SharePoint Server on-premises (in-house installed server, not cloud version) are at risk. The risk of spreading to the rest of your business’ internal network if hackers gain access to your main system.

As long as the SharePoint system is unpatched, hackers can take full control of the system and encrypt data. At least 400 victims have been confirmed, including government agencies and businesses. Not only Storm-2603, other Chinese hacker groups such as Linen Typhoon (APT27) and Violet Typhoon, also suspected of taking part in the same attack.

Microsoft strongly recommends:

  • Immediately update SharePoint Server to the latest version with patches.
  • Enable Antimalware Scan Interface (AMSI) and check the correct configuration.
  • Implement end protection solutions such as Microsoft Defender for Endpoint or similar software.
  • Turn back the “ASP.NET” lock on the SharePoint server.
  • Restart your IIS service with the “iisreset.exe” command after patching.
  • Activate an internal response plan (IR plan).

SharePoint security vulnerabilities are no longer theoretical. With more than 400 victims and increasingly sophisticated attack chains, organizations, especially medium and large enterprises, need to act immediately to prevent the risk of blackmail and data leaks.

The Hacker News