Microsoft linked SharePoint exploits to China-nexus groups Linen Typhoon, Violet Typhoon, and Storm-2603, active since July 7, 2025.
Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.” reads a report published by Microsoft. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
The tech giant warns that more threat actors are adopting SharePoint exploits and expects continued attacks on unpatched on-premise systems.
Microsoft observed threat actors scanning and attacking on-prem SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypassed authentication and used a malicious script (like spinstall0.aspx) to steal sensitive cryptographic keys (MachineKey data). In some cases, the attackers renamed the script slightly to avoid detection. Microsoft shared indicators of compromise (IOCs) and hunting tools to detect these attacks.
Below is a short description of China-nexus groups that exploited the ToolShell flaws:
- Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, TG-3390, Bronze Union, Lucky Mouse, and UNC215) targets IP in government and defense sectors; Linen Typhoon is a China-based actor that has been active since at least 2012 and targets foreign embassies to collect data on government, defence, and technology sectors.
- Violet Typhoon (aka APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, ZIRCONIUM) focuses on espionage against NGOs, media, and academia. Violet Typhoon is a China-linked actor that has been active since at least 2015.
- Storm-2603, though distinct, attempts to steal MachineKeys from SharePoint servers and has ties to ransomware. These actors exploit exposed systems to install web shells. With more attackers likely to adopt these methods, Microsoft urges immediate patching and mitigation to protect unpatched on-premises SharePoint environments.
Microsoft provides the following mitigations for CVE-2025-53770/53771:
- After patching or enabling AMSI, rotate ASP.NET machine keys and restart IIS on all servers using PowerShell or Central Admin.
- Apply latest security updates for supported SharePoint versions (2016, 2019, Subscription Edition) immediately.
- Enable AMSI (Antimalware Scan Interface) in Full Mode and install Defender Antivirus on all SharePoint servers.
- If AMSI can’t be enabled, disconnect servers from the internet or limit access using VPN/proxy/authentication gateway.
- Deploy Microsoft Defender for Endpoint to detect post-exploit activity.
SentinelOne researchers also identified three attack clusters with different tactics, while the attribution remains ongoing. All clusters targeted high-value SharePoint deployments, with a clear emphasis on persistence and access via cryptographic key theft, rather than immediate system control.
While SentinelOne did not attribute the attack to a specific threat actor, The Washington Post, citing its source, reported that the attacks targeted SharePoint servers were likely conducted by unnamed China-linked threat actors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
