Security researchers from Google and Microsoft say there is evidence that China-backed hackers are taking advantage of zero-day bugs in Microsoft SharePoint as businesses around the world are in a hurry to patch their flaws.
Officially known as CVE-2025-53770, a bug discovered last weekend allows hackers to steal sensitive private keys from self-hosted versions of SharePoint, a software server widely used by businesses and organizations to store and share internal documents. Once exploited, attackers can use bugs to remotely plant malware, access files and data stored inside, and access other systems on the same network.
In a blog post Tuesday, Microsoft said it had observed that at least two previously identified China-supported hacking groups would use SharePoint Zero Days, called “linen typhoons” and “violet typhoons.” Microsoft says that linen typhoons are focused on theft of intellectual property, while violet typhoons are stealing the personal information used for espionage.
Microsoft also attributes the ongoing hacking to a third China-backed hacking group named “Storm-2603”, representing a hacking group with little information about the company. However, the company noted that hackers have been linked to ransomware attacks in the past.
According to Microsoft, three hacking groups have been observed to exploit the zero-day vulnerability to infiltrate vulnerable SharePoint servers until July 7th.
Charles Carmakal, chief technology officer of Google’s incident response unit Mandiant, told TechCrunch in an email that “at least one of the people in charge” is a China-Nexus hacking group, but said “several actors are actively exploiting this vulnerability.”
Dozens of organizations have already been hacked, including the entire government sector. The bug was considered zero day because the vendor (in this case Microsoft) didn’t have time to issue patches before it was actively exploited. Microsoft has since deployed patches for all affected versions of SharePoint, but security researchers warn that customers running a self-hosted version of SharePoint should already assume they have compromised.
TechCrunch Events
San Francisco
|
October 27th-29th, 2025
A spokesman for the Chinese Embassy in Washington, DC did not immediately return a request for comment. The Chinese government has long rejected allegations that it had carried out a cyberattack, but it has not always explicitly denied its involvement.
This is the latest hacking campaign linked to China in recent years. The China-backed hacker was accused of targeting a self-hosted Microsoft Exchange mail server in 2021 as part of a mass hacking campaign. According to a recent Justice Department indictment, Chinese hackers accused two hackers of masterminding the violation, and so-called “hafnium” hacking has breached contact information and private mailboxes from over 60,000 affected servers.
