Full Report
What does it mean that three separate China-linked groups all moved on the same SharePoint vulnerabilities at nearly the same time?
Analysis Summary
# Threat Actor: Linen Typhoon, Violet Typhoon, and Storm-2603
## Attribution & Identity
These are three distinct, China-linked hacking organizations identified by Microsoft.
* **Linen Typhoon:** Has ties to the People’s Liberation Army (PLA).
* **Violet Typhoon:** Has ties to the Ministry of State Security (MSS).
* **Storm-2603:** Is affiliated with ransomware groups.
## Activity Summary
The three groups were observed contemporaneously exploiting two specific, newly disclosed Microsoft SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706). This activity comprised the "ToolShell campaign." Exploitation began as early as July 7, 2025, one day before Microsoft issued official patches. The groups quickly discovered and exploited bypasses for the initial patches, utilizing newer, subsequent vulnerabilities (CVE-2025-53770 and CVE-2025-53771). The campaign resulted in hundreds of organizations being breached, including US federal and state agencies, and at least 400 governments and businesses worldwide.
## Tactics, Techniques & Procedures
- **Zero-day Exploitation:** Exploited SharePoint vulnerabilities before patches were widely available (CVE-2025-49704, CVE-2025-49706).
- **Patch Bypass:** Rapidly developed and utilized exploits for bypasses to Microsoft’s initial fixes.
- **Deep Understanding of Flaws:** Demonstrated a surprisingly deep understanding of the SharePoint flaws, suggesting significant resources.
- **Initial Foothold:** Exploited SharePoint, an application integrated with authentication services, to gain a foothold for deeper network access.
- **Observed Campaign:** ToolShell campaign.
## Targeting
- **Sectors:** Governments (federal and state agencies in the US), global enterprises, and organizations using on-premise SharePoint.
- **Geography:** Global, affecting "at least 400 governments and businesses around the world" and US federal/state agencies.
- **Victims:** Hundreds of Microsoft customers, including US federal and state agencies.
## Tools & Infrastructure
- **Malware Families Used:** The article implies the use of tools related to the "ToolShell campaign," but specific malware names (other than mention of ransomware affiliation for Storm-2603) are not detailed.
- **Infrastructure (C2, domains, IPs - defang URLs):** No specific infrastructure details (C2s, domains, IPs) were mentioned in the provided text fragment.
## Implications
The simultaneous exploitation of the same high-impact vulnerabilities by three functionally distinct, state-affiliated, and financially motivated Chinese groups is concerning. This pattern raises questions about:
1. The independence of the clusters.
2. How all three obtained working exploits so rapidly.
3. The potential coordination or shared information within Beijing’s cyber apparatus.
4. Potential involvement of Chinese entities in programs like Microsoft's MAPP, leading to mandatory reporting of vulnerabilities under Chinese law.
## Mitigations
- Apply critical security patches for Microsoft SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) immediately.
- Organizations should audit environments for signs of exploitation targeting SharePoint servers if patches were delayed.