Microsoft DART Uncovers Two Unrelated Threat Actors Operating Simultaneously in Same Network
Microsoft's DART investigation of a single intrusion revealed two unrelated threat actors—Storm-2603 and an unnamed second actor—operating in parallel within the same environment, complicating detection and attribution.
Microsoft's Detection and Response Team (DART) has published a detailed account of a multi-stage intrusion that turned out to be far more complex than a typical ransomware investigation. In what the company describes as its ninth cyberattack series report, DART investigators discovered that two completely unrelated threat actors were operating simultaneously within the same compromised network—each masking the other's activity and making detection significantly more difficult.
The primary actor, tracked as Storm-2603, had been targeting on-premises SharePoint servers since mid-2025. The group exploited known vulnerabilities while also probing for additional entry points through reconnaissance activity, including requests for sensitive configuration files such as win.ini and web.config—indicators of local file inclusion probing. Once inside, Storm-2603 deployed the legitimate forensic tool Velociraptor with SYSTEM-level privileges to map the environment, then established multiple remote access channels using Cloudflare tunneling, Zoho Assist, and SSH connections configured through Visual Studio Code.
Privilege escalation followed, with the creation of new local and domain administrator accounts to maintain persistent access. The threat actor employed defense evasion techniques, including the use of a vulnerable driver to tamper with memory and disable security protections. These measures helped Storm-2603 blend malicious activity with trusted administrative behavior, reducing visibility for defenders.
As DART correlated telemetry across identities, endpoints, and cloud resources, investigators uncovered signs of a second, unrelated threat actor operating in parallel. This second actor employed malicious DLL sideloading and custom backdoors—techniques not associated with Storm-2603. The overlapping activity streams introduced an additional layer of complexity, obscuring attribution and complicating detection. Together, the two actors enabled sustained access while masking the full scope of the intrusion.
Microsoft responded by activating a structured incident response playbook focused on limiting threat actor impact and restoring control. By correlating telemetry across identities, endpoints, and cloud resources, responders established a unified view of the intrusion, enabling them to detect abnormal behavior, uncover credential misuse, and track threat actor activity as it evolved. Continuous coordination with the customer, including daily briefings, ensured containment actions were timely and effective.
Collaboration with Microsoft Threat Intelligence provided critical context that reshaped the investigation. By connecting incident data with broader intelligence, DART identified the two distinct threat actors operating simultaneously within the same environment. Beyond containment, the team delivered targeted guidance to strengthen the organization's security posture, helping close visibility gaps and improve resilience against future identity compromise and ransomware-driven attacks.
This case underscores the importance of closing common gaps across exposure, identity, and visibility. Organizations should prioritize rigorous patching and vulnerability management—especially for internet-facing systems—to reduce the risk of initial access. At the same time, strengthening identity security is critical to limiting threat actor escalation and persistence. Microsoft recommends establishing broad, continuous visibility through endpoint protection and centralized telemetry, monitoring and restricting trusted tools that threat actors may exploit, and maintaining tested incident response playbooks to reduce dwell time.