Full Report
Linen Typhoon, Violet Typhoon and Storm-2603 are behind the initial attack spree that erupted over the weekend. Other threat groups are now following suit. The post Microsoft SharePoint zero-day attacks pinned on China-linked ‘Typhoon’ threat groups appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Linen Typhoon, Violet Typhoon, and Storm-2603 (China-linked Threat Actors)
## Attribution & Identity
The initial exploit spree involving SharePoint zero-days has been attributed to two China nation-state threat groups, **Linen Typhoon** and **Violet Typhoon**, and a separate China-based attacker tracked as **Storm-2603**. Mandiant noted that at least one of the early actors responsible is a China-nexus threat actor, though broader, opportunistic exploitation by diverse actors is anticipated.
## Activity Summary
These groups were behind the initial, widespread exploitation of two zero-day vulnerabilities affecting on-premises SharePoint servers over a weekend in July 2025. The exploitation was used to intrude **hundreds of organizations globally**. The attack spree is ongoing, driven by the rapid adoption of these exploits against unpatched servers, even after Microsoft released emergency patches. CISA issued an alert and added the vulnerability to its KEV catalog.
## Tactics, Techniques & Procedures
- Exploitation of zero-day vulnerabilities affecting on-premises SharePoint servers: **CVE-2025-53770** and **CVE-2025-53771**.
- These zero-days are described as variants of previously disclosed vulnerabilities.
## Targeting
- Sectors: **Multiple sectors**, including **government agencies**.
- Geography: **Globally**.
- Victims: **Hundreds of organizations** (specific names not listed).
## Tools & Infrastructure
- Malware families used: Not explicitly detailed in the provided text beyond the initial exploitation method.
- Infrastructure (C2, domains, IPs): Not detailed in the provided text.
## Implications
The immediate implication is widespread compromise across targeted organizations due to the exploitation of critical zero-days in SharePoint systems. The attacks are described as broad and opportunistic following the initial efforts by the named groups. The rapid adoption of exploits suggests a sustained threat landscape for any entity running unpatched on-premises SharePoint servers.
## Mitigations
- Immediately apply patches released by Microsoft for the SharePoint vulnerabilities (**CVE-2025-53770** and **CVE-2025-53771**).
- Organizations running on-premises SharePoint systems should prioritize remediation due to the ongoing, active exploitation.