A routine ransomware investigation turned into something far more alarming when security researchers uncovered two separate threat actors quietly sharing the same compromised environment.
What started as a single intrusion quickly revealed a far more complex operation involving multiple remote access tools, tunneling software, and legitimate administrative utilities weaponized for long-term persistence inside a target network.
The attack centered on on-premises SharePoint servers, which had been under sustained pressure since mid-2025. The threat actor, tracked as Storm-2603, exploited known vulnerabilities while probing for additional entry points.
Requests were made for sensitive files like win.ini and web.config, suggesting reconnaissance for local file inclusion weaknesses, though full exploitation of this specific vector was not confirmed during the investigation.
Analysts at Microsoft identified the full scope of this campaign after correlating signals across identities, endpoints, and cloud infrastructure.
Their Detection and Response Team, known as DART, uncovered the coordinated use of multiple tools to sustain access, escalate privileges, and stay completely hidden inside the target network for an extended period without raising any alarms.
Once inside, the attackers layered their access using a combination of well-known and trusted tools.
This approach made their activity much harder to distinguish from routine system administration, buying them critical time to move deeper into the network without triggering immediate alerts or raising suspicion from the security teams monitoring the organization.
A second, unrelated threat actor was also found operating within the same environment at the same time. That group relied on malicious DLL sideloading and custom backdoors, techniques entirely distinct from Storm-2603’s methods.
The presence of two overlapping attack campaigns significantly complicated attribution and made the full scope of the intrusion far harder to detect or contain.
Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH
Storm-2603 deployed Velociraptor, a legitimate open-source forensic and incident response tool, with SYSTEM-level privileges to map the compromised environment.
Since Velociraptor is widely trusted and commonly used by security teams, its presence blended seamlessly with normal administrative behavior, making it an effective cover for malicious activity running in plain sight.
To ensure continued remote access, the attackers configured Cloudflare tunnels, which allowed them to route traffic through a trusted third-party service and bypass conventional network monitoring.
They also used Zoho Assist and SSH connections established through Visual Studio Code, creating multiple redundant access channels that would persist even if one method was blocked or discovered by defenders inside the organization.
Privilege escalation followed shortly after, with new local and domain administrator accounts created to lock in long-term control.
A vulnerable driver was also exploited to tamper with system memory and disable security protections, further reducing the attackers’ visibility to defense tools running within the compromised environment at the time.
Microsoft said in a report shared with Cyber Security News (CSN) that DART contained the intrusion by activating a structured response playbook, correlating telemetry across all affected systems, and conducting daily briefings with the organization to ensure timely and aligned containment actions throughout the investigation.
Strengthening Defenses Against Multi-Actor Intrusions
The findings highlight just how far threat actors are willing to go to maintain their foothold inside a network.
When two separate groups are working within the same environment simultaneously, signals become mixed, attribution becomes harder, and traditional detection methods begin to fall short of what security teams genuinely need.
Microsoft’s response team emphasized that organizations should prioritize patching internet-facing systems to reduce the risk of initial access.
Strengthening identity security is equally important, as credential misuse played a central role in enabling threat actor escalation and persistence throughout this investigation.
Security teams are also advised to deploy endpoint protection widely, retain telemetry centrally, and keep incident response playbooks tested and ready to activate quickly.
Monitoring the use of remote access and tunneling tools is critical, since legitimate software like Velociraptor, VS Code, and Zoho Assist can all be quietly abused by attackers to move undetected across a compromised network.
