Microsoft Reveals Chinese State Hackers Exploiting SharePoint Flaws

Microsoft’s critical new update reveals that specific Chinese nation-state threat groups are actively exploiting vulnerabilities in its on-premises SharePoint servers. Following an earlier report from Hackread.com, which highlighted the compromise of over 100 organisations globally, Microsoft has now identified the key players behind the intrusions and released comprehensive security updates for all affected SharePoint versions.

The ongoing cyberattacks leverage two distinct zero-day flaws, CVE-2025-49706, a spoofing vulnerability that allows attackers to trick systems, and CVE-2025-49704, a remote code execution (RCE) vulnerability enabling them to run malicious code remotely. These flaws are related to the previously highlighted CVE-2025-53770 and CVE-2025-53771.

Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: https://t.co/oQ2HDZZbJB

— Microsoft Threat Intelligence (@MsftSecIntel) July 22, 2025

****Named Threat Actors and Attack Tactics****

Microsoft’s Threat Intelligence unit confirms that Chinese nation-state actors Linen Typhoon, Violet Typhoon, and another China-based group tracked as Storm-2603, are exploiting these vulnerabilities. Observed attacks begin with threat actors conducting reconnaissance and sending crafted POST requests to the ToolPane endpoint on SharePoint servers.

These groups are known for espionage, intellectual property theft, and persistently targeting exposed web infrastructure. Attacks are widespread, with CrowdStrike observing hundreds of attempts across over 160 customer environments since July 18, 2025.

Linen Typhoon, active since 2012, focuses on stealing intellectual property from government, defence, and human rights sectors. Violet Typhoon, tracked since 2015, specialises in espionage against former military personnel, NGOs, and financial institutions, often by scanning for and exploiting vulnerabilities.

While Storm-2603 has previously deployed ransomware like Warlock and Lockbit, their current objectives with these SharePoint exploits are still being assessed. Here is a summary of these groups’ activities:

****1. Linen Typhoon****

• Chinese state-sponsored group
• Previously known as Hafnium
• Target focuses on the Government, defence, NGOs, and education
• Known for attacks on US critical infrastructure and academic institutions
• Notable activity includes Exploited Microsoft Exchange vulnerabilities (ProxyLogon)

****2. Violet Typhoon****

• Chinese threat actor
• Previously known as APT41 (also known as Barium or Winnti, depending on activity)
• Known for a mix of state-backed espionage and financially motivated attacks
• Target focuses on healthcare, telecom, software, and gaming industries
• Notable activity: includes supply chain compromises, backdoored software updates

****3. Storm-2603****

• Believed to be China-linked
• “Storm” is a temporary name Microsoft uses for emerging or unattributed groups
• Known for exploiting zero-day vulnerabilities in Microsoft products
• Target focus includes government and corporate systems
• Status is under investigation, but early indicators point toward Chinese origin

According to Microsoft’s investigation, attackers are deploying web shells, such as modified spinstall0.aspx files, to steal critical IIS Machine Keys, which can bypass authentication, and early exploitation attempts date back to July 7, 2025. As previously noted by Shadowserver Foundation, these persistent backdoors allow hackers to maintain access even after systems are updated.

****Urgent Fixes and Mitigation Steps****

On July 19, 2025, Microsoft Security Response Centre (MSRC) published security updates for all supported SharePoint Server versions (Subscription Edition, 2019, and 2016). This is a crucial development, as previously, updates for SharePoint 2016 were still pending. Microsoft urges immediate application of these updates.

Other than patching, Microsoft recommends enabling Anti-malware Scan Interface (AMSI) in Full Mode and deploying Microsoft Defender Antivirus or equivalent solutions on all SharePoint servers.