Introduction
The group Microsoft tracks as Storm-2603 is assessed with medium confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actorβs objectives. Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.
Activities and Tactics
Country of Origin: π¨π³ China
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Microsoft Products | MS Server Products | SharePoint Server | CVE-2025-49704, CVE-2025-49706 |
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- China Chopper
- Xploit
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
References pending cataloguing.