One intrusion, two cyberattackers: Uncovering parallel threat activity
ID: 753360de-6199-5511-a5fe-e12f35193b64
STIX ID: report--753360de-6199-5511-a5fe-e12f35193b64
Feed Name: Microsoft Security
In this DART incident report, responders uncovered a complex, multi-stage intrusion initially identified during a ransomware investigation: Storm-2603 was observed targeting on‑premises SharePoint and conducting reconnaissance for local file inclusion, while a second unrelated actor operated in parallel using DLL sideloading and custom backdoors; attackers used Velociraptor with SYSTEM privileges, created local and domain admin accounts, leveraged Cloudflare tunnels, Zoho Assist, SSH, and a vulnerable driver to evade defenses, and Microsoft DART coordinated containment, telemetry correlation, and remediation guidance to evict adversaries and improve defensive posture.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
