Microsoft's threat intelligence team has detailed a sophisticated intrusion campaign linked to the ransomware group, tracked as Storm-2603, which targeted on-premises SharePoint servers throughout mid-2025.
The attackers exploited known SharePoint vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and conducted reconnaissance for additional access paths. The security team observed requests for sensitive files such as win.ini and web.config, activity commonly associated with testing for local file inclusion vulnerabilities. It appears that the threat actor did not exploit the files.
After gaining access, Storm-2603 focused on establishing persistence and maintaining control of compromised environments. The group deployed the Velociraptor digital forensics and incident response tool with SYSTEM-level privileges to collect information and map the network. The attackers used Cloudflare Tunnel, Zoho Assist, and SSH connections configured through Visual Studio Code to maintain remote access.
The attackers also escalated privileges by creating new local and domain administrator accounts. To evade detection, they loaded a vulnerable driver named NSecKrnl.sys, which was used to manipulate memory and disable security protections on affected systems.
Forensic evidence also revealed lateral movement into a second organization. The team contacted the affected company and confirmed it had been compromised by the same Storm-2603 ransomware activity.
During the response effort, researchers discovered evidence of a second, unrelated threat actor operating within the environment. The team identified malicious DLL sideloading activity and custom backdoors that did not match Storm-2603's known tactics, techniques, and procedures (TTPs). Microsoft later confirmed that the activities originated from a separate actor conducting parallel operations.
Researchers noted that the combination of ransomware-related activity, legitimate administrative tools, multiple persistence mechanisms, and hidden backdoors allowed the threat actors to establish deep and long-lasting access.
“What may appear to be a single ransomware incident can quickly expand into something more complex-spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel. For security teams, the implication is clear: isolated signals rarely tell the full story,” Microsoft noted.