Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Backdoors

Hackers are using unpatched on-premises SharePoint servers as an entry point for ransomware attacks, credential theft, remote access, and custom backdoors, according to a new Microsoft Incident Response report.

The case involved Storm-2603, a threat actor Microsoft has linked to ransomware activity against exposed SharePoint environments. Investigators also found evidence of a second, unrelated attacker operating inside the same environment at the same time.

This made the incident harder to investigate. One actor used known ransomware tactics, while the other used DLL sideloading and custom backdoors. Microsoft said defenders only saw the full picture after correlating identity, endpoint, and cloud telemetry.

Unpatched SharePoint servers remain a high-risk target

Microsoft said Storm-2603 has targeted on-premises SharePoint servers since mid-2025 by exploiting publicly disclosed flaws, including CVE-2025-49706 and CVE-2025-49704. A separate Microsoft Threat Intelligence warning said these vulnerabilities affected on-premises SharePoint servers only, while SharePoint Online in Microsoft 365 was not affected.

The wider SharePoint exploitation wave also involved CVE-2025-53770 and CVE-2025-53771, which Microsoft described as related to earlier SharePoint vulnerabilities. Those flaws became part of the ToolShell exploitation chain used against internet-facing SharePoint systems.

Unit 42’s SharePoint analysis also warned that self-hosted SharePoint deployments in government, education, healthcare, and large enterprise environments faced immediate risk during the exploitation wave.

Issue	What attackers did	Why it matters
SharePoint exploitation	Targeted exposed on-premises SharePoint servers	Gave attackers an initial foothold in enterprise networks
Remote access	Used tools such as Cloudflare tunnels, Zoho Assist, and VS Code Remote SSH	Created several ways to stay connected
Privilege escalation	Created local and domain administrator accounts	Helped attackers keep control after entry
Defense evasion	Loaded NSecKrnl.sys for Bring Your Own Vulnerable Driver activity	Allowed tampering with memory and security tools
Second attacker	Used DLL sideloading and custom backdoors	Added another intrusion stream inside the same environment

Microsoft found two attackers working in parallel

The investigation did not follow a simple ransomware pattern. Storm-2603 deployed Velociraptor, a legitimate forensic and monitoring tool, with SYSTEM privileges to map the environment and collect data.

The group then added several command-and-control paths. These included Cloudflare tunnels for external traffic, Zoho Assist for remote management, and Visual Studio Code Remote SSH for another access channel.

At the same time, Microsoft found activity that did not match Storm-2603. The second actor used malicious DLL sideloading, dropped unsigned files such as srvcli.dll, and created an NTDS.zip archive containing the Active Directory database file NTDS.dit.

• Storm-2603 activity included remote access tooling, rogue admin accounts, BYOVD activity, and ransomware execution.
• The second actor showed separate tradecraft, including DLL sideloading and custom backdoors.
• NTDS.dit theft created a major credential risk because it can expose Active Directory password data.
• WinRM lateral movement helped attackers move between systems using legitimate Windows management features.

CVE-2025-11371 needs careful handling

The Microsoft case also mentions requests for files such as win.ini and web.config, which indicated possible local file inclusion probing. The report’s attack flow references CVE-2025-11371, but defenders should not treat that CVE as a SharePoint patch issue.

The NVD entry for CVE-2025-11371 says the flaw affects Gladinet CentreStack and TrioFox in default installations and configurations. NVD describes it as an unauthenticated local file inclusion flaw that can expose system files.

That distinction matters for security teams. SharePoint administrators still need to patch and harden SharePoint, but organizations that also run CentreStack or TrioFox need to review those systems separately, especially if they are internet-facing.

Vulnerability or artifact	Confirmed context	Defensive action
CVE-2025-49704	SharePoint remote code execution vulnerability	Apply Microsoft SharePoint security updates
CVE-2025-49706	SharePoint spoofing vulnerability used in attacks	Patch supported SharePoint Server versions
CVE-2025-53770	On-premises SharePoint remote code execution issue	Follow Microsoft mitigation and patch guidance
CVE-2025-11371	Gladinet CentreStack and TrioFox local file inclusion flaw	Check affected file-sharing systems separately
NSecKrnl.sys	Vulnerable driver used for BYOVD activity	Block vulnerable drivers and monitor kernel-level tampering
NTDS.zip	Archive containing stolen Active Directory database data	Assume credential exposure and rotate affected secrets

Backdoors, remote tools, and ransomware made the attack harder to contain

The attackers did not rely on one access method. Microsoft’s case shows how modern ransomware incidents often combine legitimate admin tools, custom malware, exposed servers, credential theft, and quiet persistence.

Storm-2603 used Velociraptor and remote management channels to keep access. It also created administrator accounts and loaded a vulnerable driver to disable endpoint protection. These actions gave the attackers more time to prepare the environment before ransomware execution.

The second actor added more noise and risk. By stealing NTDS.dit and using custom backdoors, the attacker could have exposed long-term identity infrastructure even if ransomware recovery restored encrypted systems.

What organizations should do now

Organizations that still operate on-premises SharePoint should confirm that every supported SharePoint Server instance has the latest security updates. The Microsoft SharePoint guidance also recommends enabling AMSI, using Microsoft Defender Antivirus or equivalent protection, rotating SharePoint ASP.NET machine keys, restarting IIS, and deploying endpoint detection tools.

Security teams should also check whether any affected file-sharing systems exist in the environment. The CVE-2025-11371 advisory should be reviewed separately from SharePoint patching because it applies to CentreStack and TrioFox.

The broader lesson from the Microsoft DART case is that ransomware may only show one part of an intrusion. Defenders need enough telemetry to find overlapping activity across endpoints, identities, servers, cloud services, and remote access tools.

• Patch internet-facing SharePoint servers immediately.
• Rotate SharePoint ASP.NET machine keys after applying updates.
• Restart IIS after key rotation and patching.
• Audit local and domain administrator accounts for unexpected changes.
• Look for Cloudflare tunnels, Zoho Assist, VS Code Remote SSH, and other remote tools that were not approved.
• Hunt for suspicious DLL sideloading, including unusual ulib.dll and srvcli.dll activity.
• Investigate any NTDS.dit access or NTDS.zip archive creation.
• Use the Unit 42 ToolShell coverage to compare older SharePoint exploitation activity against current logs.

Unpatched public-facing servers remain one of the fastest routes into enterprise networks. In this case, the bigger risk came from what happened after access: stolen credentials, hidden backdoors, remote access tooling, and multiple attackers operating at the same time.

FAQ