In a startling discovery, security researchers investigating a ransomware incident uncovered two distinct threat actors operating within the same compromised network. This revelation highlighted a sophisticated intrusion involving multiple tools and strategies for sustained access.
Complex Intrusion with Multiple Tools
The investigation, which began as a single intrusion, soon revealed a complex operation. Multiple remote access tools, tunneling software, and legitimate administrative utilities were leveraged for long-term persistence in the target’s infrastructure. These activities were centered on on-premises SharePoint servers, which had been under attack since mid-2025 by a threat group known as Storm-2603. By exploiting known vulnerabilities, they sought additional entry points.
Researchers noted requests for sensitive files such as win.ini and web.config, indicative of reconnaissance for local file inclusion weaknesses. However, the full exploitation of this vector was not confirmed during the initial investigation.
Coordinated Efforts and Overlapping Campaigns
Microsoft’s analysts, through their Detection and Response Team (DART), mapped out the full scope of the campaign. They identified the use of multiple tools to maintain access, escalate privileges, and remain hidden within the network for extended periods. This layering of access, utilizing both familiar and trusted tools, obscured malicious activities as routine system administration.
Interestingly, another unrelated group was found to be operating simultaneously in the same environment. This group used different techniques, such as malicious DLL sideloading and custom backdoors, complicating attribution and detection efforts.
Tools Leveraged for Persistence
Storm-2603 deployed Velociraptor, a trusted open-source forensic tool, with SYSTEM-level privileges to map the environment. Its legitimate use by security teams enabled the attackers to camouflage their presence effectively. Additionally, Cloudflare tunnels were configured to route traffic through a trusted service, bypassing traditional network monitoring.
Other tools like Zoho Assist and Visual Studio Code’s SSH feature were employed to establish multiple access channels, ensuring persistence even if one method was discovered. Privilege escalation followed, with new administrator accounts created to secure long-term control.
Microsoft’s DART team contained the intrusion by activating a structured response, correlating data across impacted systems, and conducting regular briefings with the organization to ensure a coordinated containment strategy.
Enhancing Network Defense Strategies
This case underscores the lengths to which threat actors will go to maintain network access. The simultaneous presence of multiple groups complicates signal clarity and attribution, challenging traditional detection methods. Microsoft advises organizations to prioritize patching internet-facing systems and strengthen identity security, as credential misuse was pivotal in this case.
Furthermore, deploying endpoint protection widely, centralizing telemetry retention, and maintaining tested incident response playbooks are critical. Monitoring the use of remote access and tunneling tools is essential, as legitimate software like Velociraptor, VS Code, and Zoho Assist can be exploited by attackers to move stealthily within compromised networks.
Stay updated on the latest in cybersecurity by following us on Google News, LinkedIn, and X. Set Cyber Security News as a preferred source in Google for more instant updates.
