China-Backed Storm-2603 Deploys Warlock Ransomware in Widespread SharePoint Attacks
On July 23, Microsoft reported that the China-linked threat group Storm-2603 exploited on-premises SharePoint servers using Warlock ransomware, a ransomware-as-a-service (RaaS) operation that emerged in early 2024. The attacks, part of at least four confirmed waves between July 17 and July 21, compromised over 400 organizations, including critical U.S. government agencies such as the National Nuclear Security Administration (NNSA), U.S. Education Department, Florida Department of Revenue, and Rhode Island General Assembly.
Warlock, also known as the Warlock Dark Army, has targeted multiple sectors, including government, finance, manufacturing, and education, with at least 11 confirmed victims and more expected. Among the affected entities are Astronika (a Polish space tech firm), Nippon Life India Asset Management (whose app and website were shut down in April 2025), Unilever (though the company has not confirmed the breach), and Carducci, a U.S.-based firm hit in June 2025. As of July 23, it remains unclear whether Storm-2603 has issued ransom demands or what financial impact the attacks may have.
The campaign leverages two newly disclosed zero-day vulnerabilities CVE-2025-53770 (CVSS 9.8, remote code execution) and CVE-2025-53771 (CVSS 6.3, server spoofing) which are evolved variants of the original "ToolShell" attack chain (CVE-2025-49704 and CVE-2025-49706). These flaws bypass Microsoft’s July 2025 patches for the initial vulnerabilities, allowing unauthenticated attackers to execute arbitrary code, access SharePoint content, and compromise file systems.
Microsoft’s Security Response Center (MSRC) addressed the new vulnerabilities on July 19, urging organizations to apply both updates. Security researchers, including Frankie Sclafani of Deepwatch, confirmed that the ToolShell attack chain remains active, with threat actors rapidly adapting to exploit the latest variants. When chained together, these vulnerabilities enable full network access and remote code execution, posing a severe risk to unpatched systems.
Astronika TPRM report: https://www.rankiteo.com/company/astronika
Rhode Island General Assembly TPRM report: https://www.rankiteo.com/company/rhode-island-general-assembly
Unilever TPRM report: https://www.rankiteo.com/company/unilever
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft
Florida Department of Revenue TPRM report: https://www.rankiteo.com/company/florida-state-university-college-of-medicine
"id": "unimicastflorho1772483656",
"linkid": "unilever, microsoft, astronika, florida-state-university-college-of-medicine, rhode-island-general-assembly",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Government',
'location': 'United States',
'name': 'National Nuclear Security Administration '
'(NNSA)',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'U.S. Education Department',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'Florida Department of Revenue',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'Rhode Island General Assembly',
'type': 'Government Agency'},
{'industry': 'Space Technology',
'location': 'Poland',
'name': 'Astronika',
'type': 'Private Company'},
{'customers_affected': True,
'industry': 'Finance',
'location': 'India',
'name': 'Nippon Life India Asset Management',
'type': 'Private Company'},
{'industry': 'Consumer Goods',
'name': 'Unilever',
'type': 'Private Company'},
{'location': 'United States',
'name': 'Carducci',
'type': 'Private Company'}],
'attack_vector': 'Exploitation of zero-day vulnerabilities in on-premises '
'SharePoint servers',
'data_breach': {'data_encryption': True},
'date_detected': '2025-07-17',
'date_publicly_disclosed': '2025-07-23',
'description': 'On July 23, Microsoft reported that the China-linked threat '
'group Storm-2603 exploited on-premises SharePoint servers '
'using Warlock ransomware, a ransomware-as-a-service (RaaS) '
'operation that emerged in early 2024. The attacks compromised '
'over 400 organizations, including critical U.S. government '
'agencies and entities in finance, manufacturing, and '
'education sectors. The campaign leverages two newly disclosed '
'zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) '
'to execute arbitrary code and compromise file systems.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'operational_impact': 'Website and app shutdowns (e.g., Nippon '
'Life India Asset Management)',
'systems_affected': 'SharePoint servers, file systems'},
'initial_access_broker': {'entry_point': 'Exploitation of SharePoint zero-day '
'vulnerabilities'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': "Apply Microsoft's patches "
'and monitor for further '
'threats',
'root_causes': 'Exploitation of unpatched zero-day '
'vulnerabilities in SharePoint '
'servers'},
'ransomware': {'data_encryption': True,
'ransomware_strain': 'Warlock (Warlock Dark Army)'},
'recommendations': "Apply Microsoft's July 19, 2025 patches for "
'CVE-2025-53770 and CVE-2025-53771 to mitigate risks.',
'references': [{'source': 'Microsoft Security Response Center (MSRC)'},
{'source': 'Frankie Sclafani (Deepwatch)'}],
'response': {'remediation_measures': 'Microsoft released patches for '
'CVE-2025-53770 and CVE-2025-53771 on '
'July 19, 2025'},
'threat_actor': 'Storm-2603 (China-linked)',
'title': 'China-Backed Storm-2603 Deploys Warlock Ransomware in Widespread '
'SharePoint Attacks',
'type': 'Ransomware Attack',
'vulnerability_exploited': ['CVE-2025-53770', 'CVE-2025-53771']}