Microsoft has updated its previous advisory to add more details on a China-linked threat actor it tracks Storm-2603, which is actively exploiting a chain of critical SharePoint vulnerabilities to deploy Warlock ransomware
The campaign leverages the spoofing vulnerability (CVE-2025-49706) and the remote code execution bug (CVE-2025-49704) in unpatched on-premises SharePoint servers. The attackers are using the flaws to deploy a malicious web shell named spinstall0.aspx, allowing them to run commands via SharePoint's w3wp.exe process.
Once inside the network, the attackers run a series of reconnaissance commands to identify user privileges and establish persistence. Microsoft says that the group uses batch scripts and cmd.exe for deeper infiltration, disabling Microsoft Defender protections by making Windows Registry modifications using services.exe.
Storm-2603 has also been seen deploying Mimikatz to extract credentials from LSASS memory and using tools like PsExec and the Impacket toolkit for lateral movement. Persistence is maintained by creating scheduled tasks and altering Internet Information Services (IIS) to execute suspicious .NET assemblies.
The threat actors also modify Group Policy Objects (GPOs) to spread the Warlock ransomware throughout compromised environments. Microsoft noted that Storm-2603 has previously deployed both Warlock and LockBit ransomware in similar financially motivated attacks.
That being said, all SharePoint users to apply the latest security updates, enable Antimalware Scan Interface (AMSI), rotate ASP.NET machine keys, and restart IIS servers. For organizations where AMSI cannot be enabled, restarting IIS after patching remains critical. Deploying endpoint protection and implementing a solid incident response plan are also strongly advised.