Microsoft SharePoint ToolShell Flaws Exploited to Spread Warlock Ransomware
![Image [INTERVIEW] with Daniel Blanc, New Director General of the INCYBER Forum Canada](https://incyber.org//wp-content/uploads/2024/09/incyber-news-cybersecurite-cybersecurity-data-donnees-4-2024-885x690.jpg)
On July 24, 2025, Microsoft disclosed that the Chinese cybercriminal group Storm-2603 exploited recently discovered ToolShell vulnerabilities in on-premise versions of Microsoft SharePoint to deploy the Warlock ransomware. First detected in June 2025, Warlock operates under a Ransomware-as-a-Service (RaaS) model and is already linked to 11 confirmed victims.
The ToolShell vulnerabilities, made public on July 18, 2025, have also been weaponized by two Chinese state-linked cyberespionage groups—Linen Typhoon and Violet Typhoon—over the past several weeks. These groups are believed to have infiltrated more than 400 critical and government organizations worldwide. The United States was the most targeted country, accounting for 13% of the breaches.
U.S. authorities have confirmed that the National Institutes of Health were among the affected entities. They also acknowledged the compromise of “a very limited number of systems” at the National Nuclear Security Administration (NNSA), the agency responsible for overseeing the U.S. nuclear arsenal.
Storm-2603’s Warlock attacks began on July 18, 2025. While they leverage the same SharePoint vulnerabilities, Microsoft indicated that these ransomware campaigns are not directly connected to the espionage operations conducted by Linen Typhoon and Violet Typhoon.