Storm-2603 Exploits Unpatched SharePoint Servers in Multi-Actor Ransomware and Backdoor Campaign

Unpatched on-premises SharePoint servers have become a prime target for sophisticated threat actors using known security flaws to break in, plant ransomware, and leave behind hidden backdoors. These are not opportunistic smash-and-grab operations. They are calculated, multi-stage campaigns designed to stay inside a network for as long as possible, often without raising any alarms.

The threat group behind the primary wave of attacks, tracked as Storm-2603, has been actively targeting vulnerable SharePoint servers since at least mid-2025. The group exploited publicly disclosed vulnerabilities, including CVE-2025-49706 and CVE-2025-49704, to gain an initial foothold. Investigators also found evidence of probing activity tied to CVE-2025-11371, an unauthenticated local file inclusion flaw that allowed attackers to access sensitive system files and dig deeper into the victim's environment.

Analysts from Microsoft's Detection and Response Team (DART) identified the full scope of these attacks after a detailed investigation. According to a Microsoft report shared with Cyber Security News, the incident revealed a level of complexity well beyond a standard ransomware deployment, with two distinct threat actors operating inside the same environment at the exact same time. What made this case especially difficult to unravel was that both actors were working in parallel, not sequentially. Each group's activity was effectively masking the other's, making it extremely hard for defenders to see the full picture.

Once inside the network, Storm-2603 wasted no time setting up for a long-term stay. The group deployed Velociraptor, a legitimate forensic tool, running it with the highest system privileges to map the environment and collect data. They then built out multiple remote access channels using Cloudflare tunnels, Zoho Assist for remote management, and Visual Studio Code to create SSH-based command-and-control connections. To ensure they could not be easily removed, the attackers created new local and domain administrator accounts, giving themselves permanent access to the network. They also loaded a vulnerable driver called NSecKrnl.sys to gain deep kernel-level access, allowing them to tamper with system memory and disable endpoint protection tools. This method, known as Bring Your Own Vulnerable Driver (BYOVD), is a favored technique for switching off security software without triggering obvious alerts.

A second, unknown threat actor was also present, identified through malicious DLL sideloading and custom backdoors that did not match Storm-2603's known methods. This actor exfiltrated the NTDS.dit file, which stores all Active Directory credentials, by creating an archive called NTDS.zip across two separate devices. Lateral movement was then carried out between devices using WinRM, a legitimate Windows remote management protocol.

DART moved quickly once the investigation began, running daily briefings with the affected customer to share findings, flag new risks, and coordinate containment steps. By combining telemetry from multiple security platforms with dedicated investigative tools, the team tracked attacker behavior across the entire environment and identified both parallel intrusion streams before further damage could spread.

The response also came with clear guidance for organizations looking to strengthen their defenses. Patching internet-facing systems, especially SharePoint servers, should be treated as an immediate priority. Beyond patching, organizations are advised to treat high-privilege accounts as a prime attack surface, enforce tight identity controls, and monitor closely for unusual sign-in activity. Deploying endpoint protection across all devices, retaining telemetry in a central location, and auditing remote access tools regularly are also essential steps. Incident response plans should be developed and fully tested before an attack unfolds, not scrambled together in the middle of one.