< Back to all clusters
[TECHNOLOGY] · 2 sources

Storm-2603 ransomware campaign targets unpatched SharePoint servers with dual threat actors

Microsoft’s DART team uncovered a complex intrusion of on‑premises SharePoint servers where two unrelated threat actors operated in parallel. The primary group, tracked as Storm‑2603, has been exploiting publicly disclosed vulnerabilities such as CVE‑2025‑49706 and CVE‑2025‑49704 since mid‑2025 to install ransomware and create persistent backdoors. It used legitimate tools (Velociraptor, Cloudflare tunnels, Zoho Assist) and a vulnerable driver (NSecKrnl.sys) to gain kernel‑level access and bypass endpoint protection.

A second, unidentified actor was detected simultaneously, employing DLL sideloading and custom backdoors to exfiltrate the Active Directory database (NTDS.dit) and move laterally via WinRM. Both streams masked each other, delaying detection until Microsoft correlated identity, endpoint, and cloud telemetry. The investigation highlights the danger of unpatched SharePoint installations and recommends rapid patching, protection of high‑privilege accounts, and continuous monitoring to prevent similar multi‑actor compromises.