Dual Threat Actors Exploit Hybrid Environments in Complex Cyber Intrusion
Microsoft’s Detection and Response Team (DART) uncovered a sophisticated cyber intrusion involving two unrelated threat actors operating simultaneously within the same environment, blending tactics to evade detection and maintain persistent access.
The investigation began as a routine ransomware case but revealed a multi-stage attack by Storm-2603, which targeted on-premises SharePoint servers starting in mid-2025. The threat actor exploited known vulnerabilities while conducting reconnaissance, probing for local file inclusion weaknesses via requests for sensitive configuration files like win.ini and web.config. Though initial exploitation was unconfirmed, the activity suggested a deliberate effort to identify entry points.
Once inside, Storm-2603 established persistence using legitimate tools, including Velociraptor (a forensic tool) with SYSTEM-level privileges, to map the environment. Remote access was secured through Cloudflare tunneling, Zoho Assist, and SSH connections via Visual Studio Code. The actor escalated privileges by creating new local and domain administrator accounts and employed defense evasion techniques such as exploiting a vulnerable driver to disable security protections reducing visibility.
As DART analyzed the intrusion, they discovered a second, unrelated threat actor operating in parallel. This actor used DLL sideloading and custom backdoors, techniques not linked to Storm-2603, further complicating detection and attribution. The overlapping activity streams allowed both actors to sustain access while masking the full scope of the breach.
Microsoft’s response involved a structured containment strategy, correlating telemetry across identities, endpoints, and cloud resources to detect abnormal behavior and track evolving threats. Daily coordination with the affected organization ensured timely containment, while collaboration with Microsoft Threat Intelligence confirmed the presence of two distinct actors. The investigation highlighted critical gaps in exposure management, identity security, and visibility, emphasizing the need for robust patching, tool oversight, and rapid incident response capabilities.
The incident underscores the growing complexity of modern cyberattacks, where multiple threat actors may operate undetected in hybrid environments, challenging traditional detection and response frameworks.
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "mic1782204242",
"linkid": "microsoft-security-response-center",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'organization'}],
'attack_vector': ['exploitation of known vulnerabilities',
'local file inclusion',
'DLL sideloading',
'custom backdoors'],
'data_breach': {'file_types_exposed': ['win.ini', 'web.config']},
'description': 'Microsoft’s Detection and Response Team (DART) uncovered a '
'sophisticated cyber intrusion involving two unrelated threat '
'actors operating simultaneously within the same environment, '
'blending tactics to evade detection and maintain persistent '
'access. The investigation began as a routine ransomware case '
'but revealed a multi-stage attack by Storm-2603, which '
'targeted on-premises SharePoint servers starting in mid-2025. '
'The threat actor exploited known vulnerabilities while '
'conducting reconnaissance, probing for local file inclusion '
'weaknesses via requests for sensitive configuration files '
'like win.ini and web.config. Once inside, Storm-2603 '
'established persistence using legitimate tools, including '
'Velociraptor (a forensic tool) with SYSTEM-level privileges, '
'to map the environment. Remote access was secured through '
'Cloudflare tunneling, Zoho Assist, and SSH connections via '
'Visual Studio Code. The actor escalated privileges by '
'creating new local and domain administrator accounts and '
'employed defense evasion techniques such as exploiting a '
'vulnerable driver to disable security protections. A second, '
'unrelated threat actor was discovered operating in parallel, '
'using DLL sideloading and custom backdoors. The overlapping '
'activity streams allowed both actors to sustain access while '
'masking the full scope of the breach.',
'impact': {'systems_affected': ['on-premises SharePoint servers']},
'initial_access_broker': {'backdoors_established': ['Cloudflare tunneling',
'Zoho Assist',
'SSH connections via '
'Visual Studio Code']},
'investigation_status': 'completed',
'lessons_learned': 'The incident highlighted critical gaps in exposure '
'management, identity security, and visibility, '
'emphasizing the need for robust patching, tool oversight, '
'and rapid incident response capabilities.',
'post_incident_analysis': {'corrective_actions': ['enhanced monitoring',
'structured containment '
'strategy',
'collaboration with threat '
'intelligence'],
'root_causes': ['exploitation of known '
'vulnerabilities',
'lack of robust patching',
'gaps in exposure management and '
'identity security']},
'references': [{'source': 'Microsoft Detection and Response Team (DART)'}],
'response': {'containment_measures': 'structured containment strategy, '
'correlating telemetry across '
'identities, endpoints, and cloud '
'resources',
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'third_party_assistance': 'Microsoft Threat Intelligence'},
'threat_actor': ['Storm-2603', 'unidentified second threat actor'],
'title': 'Dual Threat Actors Exploit Hybrid Environments in Complex Cyber '
'Intrusion',
'type': ['ransomware',
'cyber intrusion',
'privilege escalation',
'defense evasion'],
'vulnerability_exploited': ['SharePoint server vulnerabilities',
'vulnerable driver']}