A multi-stage ransomware intrusion uncovered by Microsoft’s DART revealed two parallel threat actors operating simultaneously. The first actor, Storm-2603, exploited known vulnerabilities in on-premises SharePoint servers since mid-2025 and performed reconnaissance for local file inclusion vulnerabilities. They deployed Velociraptor with SYSTEM privileges to map the environment and established persistence via Cloudflare tunneling, Zoho Assist, and SSH configured through Visual Studio Code. Privilege escalation involved creating new local and domain administrator accounts, and defense evasion included using a vulnerable driver to tamper with memory protections. A second, unrelated threat actor used malicious DLL sideloading and custom backdoors, complicating detection and attribution. Microsoft responded with coordinated containment, telemetry correlation, and targeted guidance to improve security posture. The case highlights the challenge of detecting overlapping cyberattacks and the importance of broad visibility, identity security, and coordinated incident response.

The intrusion enabled sustained unauthorized access to the victim environment by two distinct threat actors, complicating detection and response efforts. The attackers achieved environment mapping with high privileges, established multiple remote access channels, escalated privileges by creating administrator accounts, and evaded defenses by tampering with memory protections. The presence of two simultaneous threat actors increased the complexity and risk of data compromise, persistence, and potential ransomware impact. The overlapping activities obscured the full scope of the intrusion, increasing the likelihood of prolonged dwell time and damage.

Microsoft’s DART team successfully contained the intrusion and stabilized the environment. Organizations are advised to prioritize rigorous patching and vulnerability management, especially for internet-facing systems, to reduce initial access risk. Strengthening identity security is critical to limit escalation and persistence. Customers should establish broad, continuous visibility by deploying endpoint protection and centralizing telemetry. Monitoring and restricting the use of trusted administrative and remote access tools can reduce exploitation opportunities. Maintaining tested incident response playbooks and ensuring rapid isolation of compromised entities will help reduce dwell time. The vendor advisory does not indicate that no action is required; these mitigations are recommended to prevent similar attacks.