On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe.

SharePoint is used by large organizations as a repository storing many kinds of confidential documents; from procurement data to internal memos and legal filings. It is also deeply integrated with Microsoft’s authentication services, meaning skillful enough hackers could use a foothold there to burrow deeper into their victims’ networks.

The plan to prevent hackers from ransacking these organizations, as per the rules of Pwn2Own, was for Viettel Cyber Security researchers to privately disclose their findings to Microsoft before discussing them publicly. Microsoft’s engineers would then issue patches for the bugs and deprive malicious actors of a foothold for attacking the company’s customers.

But instead, four months after the Pwn2Own demonstration, at least hundreds of Microsoft’s customers found their on-premise SharePoint servers being plundered in what researchers began to call the ToolShell campaign. Notably, it wasn’t just one group behind these cyberattacks but three distinct hacking organizations, all based in China, and all exploiting the same issues contemporaneously.

The incident has raised questions that researchers say need to be understood to defend against a growing threat posed by Beijing’s cyber apparatus. What does it mean that three separate China-linked groups all moved on the same SharePoint vulnerabilities at nearly the same time? Were the three threat clusters truly independent, how did they all obtain workable exploits so quickly, and what were their ultimate objectives? The answers remain unconfirmed — but some experts warn the emerging pattern is concerning.

Sounding the alarm

On July 8, Microsoft issued patches for the flaws, formally acknowledged as CVE-2025-49704 and CVE-2025-49706. But less than two weeks later, the company made a rare and unusually urgent update about those patches. It warned that not only were hackers attempting to exploit on-premise SharePoint servers that hadn’t been patched, but that the company was issuing an additional fix. The hackers had found a way to bypass the first one.

Microsoft’s warning sent ripples of concern throughout the cybersecurity community. The first unusual observation from Microsoft was that the company said its telemetry suggested the SharePoint vulnerabilities were being exploited as early as July 7 — a day before the fixes were issued. And then the company named not one, but three separate hacking groups that it said had been attempting to use CVE-2025-49704 and CVE-2025-49706 since that date.

The groups — which Microsoft referred to as Linen Typhoon, Violet Typhoon and Storm-2603 — represented the breadth of the Chinese hacking ecosystem, with ties to the People’s Liberation Army (PLA), Ministry of State Security and ransomware groups. 

Additionally, Microsoft acknowledged two new vulnerabilities, CVE-2025-53770 and CVE-2025-53771, both of them developments on the previous flaws it had attempted to fix. It said that the hacking groups had already been using the bypass, suggesting the attackers had a surprisingly deep understanding of the flaw and were well-resourced enough to attempt to exploit it to its full potential.

The government and industry responses confirmed the hacking campaigns were having a large impact. A Dutch cybersecurity firm called Eye Security said hackers had successfully breached at least 400 governments and businesses around the world, while an official from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) told Recorded Future News federal and state agencies had been affected.

The search for explanations

As Microsoft and government officials investigate the ToolShell campaign, a major question is how three different Chinese groups obtained working exploits so quickly. One theory involves Microsoft’s own efforts to keep customers safe. Before patching the flaws, the company quietly alerted a select group of partners through its Microsoft Active Protections Program (MAPP) to give defenders a heads-up and prepare their defences. Suspicions have turned towards the participation of Chinese companies in the program.

Under Chinese law, all organizations and individuals in the country have a legal duty to report new software vulnerabilities to the government — even before disclosing them to the vendor. Some of the MAPP participants in China are also partners of the China National Vulnerability Database (CNNVD), an apparatus operated by the MSS, which is considered to increase the risk of knowledge transfer to China’s intelligence services despite Microsoft’s non-disclosure agreements.

Sveva Vittoria Scenarelli, a principal threat intelligence analyst at Recorded Future, said the “possibility of leaks from participating partners” was one area of scrutiny. No such transfer between a MAPP partner and the MSS has been publicly confirmed. Microsoft announced in August that, after reviewing the ToolShell campaign, it was going to be restricting access to MAPP for several Chinese organizations.

“China is pretty unique in the way it handles vulnerability disclosure,” said Scenarelli, noting that no other country “by law mandates any individual or company to report zero-days to the state first before reporting it even to the impacted vendor.”

Beijing itself denies engaging in any offensive cyber operations. But even if external analysts believe the legal framework exists for vulnerabilities to be processed and distributed via the CNNVD, there are operational challenges around doing so and questions about the involvement of hacking groups linked to the PLA.

Rafe Pilling, the director of threat intelligence at Sophos, explained that normally, hacking groups don’t share tooling because of the risk one group’s operations would trip-up another’s. “Zero-days are valuable commodities, and every time you use one, you risk it becoming burned and its value rapidly dwindling, particularly for the targets that state-sponsored espionage groups are after.”

Feeding into this is the cadence driven by the patching cycle, said Scenarelli. “By the point a vulnerability is publicly disclosed, let alone a patch being released, the knowledge advantage is burned,” she said. “So if before that, there might have been opportunities for a threat group to conduct a low and slow campaign against a few dozen really high value targets. Suddenly that expands to, ‘I’ve got to establish my access to anything I can. I’ve got to take the opportunity, because otherwise I might not be able to capitalize on this capability’.”

Only after those threat actors have established their initial access at scale do they then triage and select which targets would be their priorities, and attempt “move on those before the end of the window of opportunity closes,” Scenarelli said.

But a pattern has emerged among Chinese threat groups as this window closes, she added. The precedent was set at least as far back as 2021, during the ProxyLogon attacks. During that campaign, multiple Chinese groups abruptly began exploiting Microsoft Exchange vulnerabilities around the time the patches were released. The cybersecurity company Mandiant later testified before Congress that this synchronous exploitation suggested a logistics infrastructure and a pipeline for distributing vulnerabilities, possibly through some kind of centralized quartermaster enabling different groups to adopt the same exploit code before disclosure.

The pattern repeated in 2023, when several Chinese clusters pivoted together to exploit an Ivanti Connect Secure VPN flaw in the narrow window between discovery and public disclosure. Scenarelli said the new pattern meant that whenever an initial threat actor may “get wind that a patch is coming, or a vendor will disclose that it is aware of the vulnerability and is coming up with a patch … you’ll suddenly see that the original threat group spikes their exploitation on a mass scale to establish access to as many targets as possible. And suddenly, there are also many other Chinese threat groups that are exploiting that same vulnerability.”

Even this situation raises questions, said Scenarelli: “It is unclear in many cases whether this is quite at the level of direct exploit code sharing, or just at the level of a threat group making others aware that a vulnerability exists, and that they may want to start exploiting it before the window of opportunity closes.”

Julian-Ferdinand Vögele, also a principal threat intelligence researcher at Recorded Future, agreed that the ToolShell campaign wasn’t unprecedented: “There is a pattern there, but I think it’s still pretty rare to see multiple different threat actors exploiting the same zero days at the very same time. So I think there must be some other explanation in the background. But in the past, it was definitely rarer.”

Deeper motives

Researchers believe the first tranche of SharePoint victims reflected classic intelligence-gathering priorities, from government ministries and critical infrastructure providers, to industries linked to the defense sector and telecommunications. Recorded Future saw continuity between the IP addresses and targeting in the ToolShell campaign and the targeting in another hacking campaign from earlier in the year, when a hacking group was using a Citrix vulnerability to target a similar profile of victim.

Microsoft’s warning similarly described Linen Typhoon (also known as APT27) and Violet Typhoon (APT31) as pursuing classic intelligence objectives, looking to gain long-term access within victim’s networks and attempting to snag sensitive data. Their choice of targets, as Microsoft set it out, was entirely aligned with traditional state-sponsored spying.

Storm-2603 didn’t seem to match. Vögele said Microsoft’s announcement seemed significant: “The one thing that stood out was that Storm-2603 does deploy ransomware. But at the same time I think Microsoft made it very clear that they’re currently not exactly sure about the final objectives of this specific group. They must have some sort of reason for saying that, but it’s not really clear what the reason is.”

On the surface, Storm-2603 was simply a ransomware crew using the same previously unknown vulnerabilities as China’s premier espionage units and doing so at the exact same time. Sergey Shykevich, the threat intelligence group manager at Check Point, said the company hadn’t seen any overlap between the intelligence-gathering and ransomware activities. The initial attacks were more like a nation-state’s focusing on “governmental targets in North America and Europe” while the later malware samples the company analyzed were “mostly in Spanish, and related to Latin America.”

Pilling said Sophos has responded to about a dozen cases, and based on the intelligence from this engagements the company’s working assumption was that Storm-2603, or what it called GOLD SALEM, and the so-called Warlock ransomware operation were in fact one entity: “We have seen them talk about looking to potentially engage with affiliates, and it’s possible there are multiple people in this group, but at the moment we are considering them one cluster.”

But he had questions. Even the ransomware branding itself appeared muddy. “There’s no ransomware that is called Warlock,” Pilling said. “Normally people name ransomware after the extensions or the branding associated with the ransomware, but there is no .warlock ransomware or, outside of the leak site, ransomware being referred to as Warlock.”

Sophos’ analysis, which Pilling will share at a talk at BlackHat Europe in London this week, suggested the group had been exploiting SharePoint vulnerabilities — both patched and unpatched — since April, although the cyberattacks prior to the July campaign did not use the same vulnerabilities as ToolShell. “We see incidents going back to at least April 2025, with the initial access being SharePoint,” Pilling said. “So potentially, you have an actor who is performing these financially-motivated ransomware attacks, they specialise in using n-day SharePoint vulnerabilities as their initial access … and then they know how to move through SharePoint and into networks and conduct the rest of their ransomware operation.”

Not all of the Storm-2603 compromises progressed to ransomware, said Pilling, something that also provided some intelligence about the threat actor: “They were bottlenecked by the number of human resources they have. They got a lot of initial access, but didn’t have the resources to fully capitalize on that.”

But, of course, there was another possibility: the ransomware could be camouflage. “One question we have gone backwards and forwards on is, is this financially-motivated activity or is this a smokescreen for something else?”

Some of the Warlock ransomware group’s public victims, Pilling noted, were unusual: a government department, major telecommunications companies in Britain and France, and even an organization touching the nuclear sector. Unusual choices for low-rent extortionists but entirely consistent with strategic intelligence priorities.

The ambiguities echo observations by Check Point researchers, who said that early exploitation of ToolShell aligned with the tradecraft of state-sponsored hackers — being selective, strategic, and geographically focused — followed later by noisier, financially driven activity.

Such obfuscation, rather than a true duality of mission, would be remarkable. The United States had unsealed several indictments alleging that hackers working on behalf of the Chinese government were also moonlighting as cybercriminals for their own benefit.

Based on the targeting Sophos had seen, Pilling said “it could go either way,” but cautioned that “at the moment we’ve not seen any activity, in terms of actions on objective, which would suggest motives beyond ransomware.”

Pilling said Sophos tracks another group, BRONZE STARLIGHT, “that certainly seemed to be using ransomware as a kind of cover; like a credible narrative to explain the incident, and as a way of destroying forensic evidence.  “I have not seen anything that has convinced me that this is something other than what it looks like. But there’s no reason why it couldn’t be both. You could have someone somewhat opportunistically attacking organisations, but if they see a way to get paid twice — once for the information from the MSS and once again by the victim for a decryption key, then maybe they do that.”

There is also room for a greater blend of motives, depending on how successful the Storm-2603 actors were in bringing in genuine criminal affiliates, even if the administrators of the scheme had ulterior motives. Sophos had seen the threat actor reach out to cybercriminals on darkweb forums, but that is not necessarily evidence that the ransomware group is anything other than just that.

The questions posed by the ToolShell campaign highlight ongoing concerns for Western defenders. China’s sprawling cyber ecosystem is very busy and there are limited data points differentiating state units, contractors, and cybercriminal actors. That three distinct entities converged on ToolShell is not unprecedented — from ProxyLogon to Ivanti, a pattern is emerging.

As Vögele said, this kind of thing used to be rarer — there must be something in the background to explain it.