Microsoft finds two actors inside one SharePoint intrusion

Microsoft’s useful finding is also the part that makes incident response uglier: the investigation did not resolve into one clean campaign with one operator, one toolchain and one set of motives. DART says it began as a ransomware investigation and ended with evidence of two unrelated actors working in parallel inside the same environment, with Storm-2603 activity around on-premises SharePoint and a second stream involving malicious DLL sideloading and custom backdoors.

The operational lesson is narrower than the marketing wrapper. Microsoft says Storm-2603 had been targeting on-premises SharePoint servers since mid-2025, exploiting known vulnerabilities and probing for files such as win.ini and web.config; in this case, exploitation through that separate path was not confirmed. Once inside, the actor allegedly used Velociraptor with SYSTEM-level privileges, Cloudflare tunneling, Zoho Assist and SSH connections configured through Visual Studio Code, then created local and domain administrator accounts and used a vulnerable driver to interfere with protections.

That is not exotic malware theater. It is the familiar problem of legitimate administration tools doing illegitimate work, with a second actor adding enough unrelated tradecraft to make correlation harder. For teams running on-premises SharePoint, the Monday work is basic but not small: separate actor timelines, validate administrator account creation, hunt for remote access channels that look like support tooling, and avoid treating attribution as containment. The wrong single-campaign story can leave the second foothold intact.