China-Backed Storm-2603 Deploys Warlock Ransomware in Widespread SharePoint Attacks On July 23, Microsoft reported that the China-linked threat group Storm-2603 exploited on-premises SharePoint servers using Warlock ransomware, a ransomware-as-a-service (RaaS) operation that emerged in early 2024. The attacks, part of at least four confirmed waves between July 17 and July 21, compromised over 400 organizations, including critical U.S. government agencies such as the National Nuclear Security Administration (NNSA), U.S. Education Department, Florida Department of Revenue, and Rhode Island General Assembly. Warlock, also known as the Warlock Dark Army, has targeted multiple sectors, including government, finance, manufacturing, and education, with at least 11 confirmed victims and more expected. Among the affected entities are Astronika (a Polish space tech firm), Nippon Life India Asset Management (whose app and website were shut down in April 2025), Unilever (though the company has not confirmed the breach), and Carducci, a U.S.-based firm hit in June 2025. As of July 23, it remains unclear whether Storm-2603 has issued ransom demands or what financial impact the attacks may have. The campaign leverages two newly disclosed zero-day vulnerabilities CVE-2025-53770 (CVSS 9.8, remote code execution) and CVE-2025-53771 (CVSS 6.3, server spoofing) which are evolved variants of the original "ToolShell" attack chain (CVE-2025-49704 and CVE-2025-49706). These flaws bypass Microsoft’s July 2025 patches for the initial vulnerabilities, allowing unauthenticated attackers to execute arbitrary code, access SharePoint content, and compromise file systems. Microsoft’s Security Response Center (MSRC) addressed the new vulnerabilities on July 19, urging organizations to apply both updates. Security researchers, including Frankie Sclafani of Deepwatch, confirmed that the ToolShell attack chain remains active, with threat actors rapidly adapting to exploit the latest variants. When chained together, these vulnerabilities enable full network access and remote code execution, posing a severe risk to unpatched systems.