logo

One intrusion, two cyberattackers: Uncovering parallel threat activity

ID: 753360de-6199-5511-a5fe-e12f35193b64

STIX ID: report--753360de-6199-5511-a5fe-e12f35193b64

Feed Name: Microsoft Security

Threat Score
78/100

Date Published: 2026-06-22

Date Updated: 2026-06-23

Author: Microsoft Incident Response

...
...

In this DART incident report, responders uncovered a complex, multi-stage intrusion initially identified during a ransomware investigation: Storm-2603 was observed targeting on‑premises SharePoint and conducting reconnaissance for local file inclusion, while a second unrelated actor operated in parallel using DLL sideloading and custom backdoors; attackers used Velociraptor with SYSTEM privileges, created local and domain admin accounts, leveraged Cloudflare tunnels, Zoho Assist, SSH, and a vulnerable driver to evade defenses, and Microsoft DART coordinated containment, telemetry correlation, and remediation guidance to evict adversaries and improve defensive posture.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.