Chinese Hackers Target SharePoint Server
The attacks highlight the importance of keeping software up to date and using supported versions of on-premises Microsoft SharePoint Server, as well as the need for robust cybersecurity measures to protect against nation-state actors and other threat actors. Microsoft's security updates and guidance provide a critical layer of protection for customers, and the company's threat intelligence reports offer valuable insights into the tactics, techniques, and procedures (TTPs) employed by these threat actors.
Microsoft has been hacked by Chinese groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, who targeted data from businesses using on-premises SharePoint servers, exploiting vulnerabilities in the servers to deploy ransomware and steal intellectual property.
The attacks, which appear to be opportunistic, took advantage of the lack of a patch before it was available, and Microsoft has released security updates to address the issue, with "high confidence" that the hackers will continue to target systems without the updates. The UK's National Cyber Security Centre confirmed a "limited number" of SharePoint Server customers in the UK were affected, and Mandiant Consulting firm reported several victims across various sectors globally.
The vulnerabilities, which affect on-premises SharePoint servers only, were observed being exploited by Chinese nation-state actors, including Linen Typhoon and Violet Typhoon, as well as another China-based threat actor, Storm-2603. The attacks involved the use of a web shell, spinstall0.aspx, which was used to upload a malicious script and steal MachineKey data, and the attackers also used PowerShell and batch scripts to launch PsExec for remote execution and disable Microsoft Defender protections.
Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-49706 and CVE-2025-49704, and recommends that customers use supported versions of on-premises Microsoft SharePoint Server, apply the latest security updates, and integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus. The company also provides indicators of compromise (IOCs) to identify and hunt for this web shell, as well as related hunting queries to find this dropped file.
The Chinese government has denied involvement, stating they oppose all forms of cyber attacks, while Microsoft has identified Linen Typhoon as a 13-year-old group focused on stealing intellectual property, and Violet Typhoon as a group dedicated to espionage. Microsoft Security Copilot customers can use the standalone experience to automate incident response or investigation tasks related to this threat, and threat intelligence reports are also available in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog.