China-Backed Hackers Exploit Microsoft SharePoint Zero-Day, Say Google and Microsoft

A dangerous zero-day vulnerability in Microsoft SharePoint is actively being exploited by hackers linked to the Chinese government, according to new reports from both Google and Microsoft. The flaw, identified as CVE-2025-53770, is being used to break into corporate servers and steal sensitive data from organizations across multiple sectors.

The vulnerability allows attackers to extract private cryptographic keys from self-hosted SharePoint servers. With those keys in hand, hackers can plant malware, access internal files, and move laterally across networks to reach other connected systems.

According to security analysts, this type of exploit could have devastating consequences for organizations that store proprietary or confidential information in SharePoint—especially companies in defense, technology, healthcare, and government sectors.

Three China-Backed Groups Behind the Exploits

Microsoft says it has directly observed three separate hacking groups tied to China actively exploiting the SharePoint zero-day since at least July 7.

Two of these groups—Linen Typhoon and Violet Typhoon—have been linked to past cyber-espionage campaigns. Microsoft reports that Linen Typhoon primarily focuses on stealing intellectual property, often targeting advanced research and development data. Violet Typhoon, meanwhile, specializes in extracting personal information, likely for espionage purposes.

A third group, identified as Storm-2603, is also involved in exploiting the SharePoint bug. Microsoft has less public intelligence on Storm-2603 but noted that the group has previously been associated with ransomware attacks, suggesting a mix of espionage and financial motives.

These coordinated attacks are part of what experts believe is a state-backed campaign, with the hacking groups operating either directly under Chinese government control or with tacit state support.

Exploits Started Before Patch Was Available

The vulnerability is classified as a zero-day, meaning hackers were already using it before Microsoft had a chance to issue a fix. Zero-days are among the most dangerous types of software vulnerabilities because there’s no defense available when attackers first strike.

Microsoft says patches are now available for all affected versions of SharePoint, but security researchers warn that it may be too late for many organizations. Companies that operate self-hosted SharePoint servers are particularly at risk because those systems are often less frequently updated compared to cloud-managed services.

According to Microsoft, dozens of organizations have already been breached, and the list is expected to grow as more forensic investigations unfold.

Google Confirms the Scope of the Attacks

At Google’s Mandiant division, which specializes in incident response, security leaders are also tracking the campaign. Charles Carmakal, Chief Technology Officer at Mandiant, confirmed that at least one of the hacking groups involved has ties to China. However, he noted that multiple threat actors are now exploiting the vulnerability, raising concerns that the exploit code may have circulated beyond its original operators.

The fact that multiple groups are using the same flaw suggests either coordination or rapid copycat activity—both common in high-stakes state-sponsored cyberattacks.

Government and Private Sector Targets Breached

The ongoing attacks have already affected a mix of government agencies, private corporations, and critical infrastructure organizations, according to security researchers tracking the breaches. The specific names of victims have not been publicly disclosed, but the pattern reflects a typical Chinese cyber-espionage playbook: collect proprietary information and intelligence by compromising widely used business software.

Microsoft’s SharePoint is deeply embedded in corporate and institutional environments, making it an appealing target for large-scale exploitation. Many companies rely on SharePoint for storing confidential documents, intellectual property, and sensitive internal communications.

China’s History of Targeting Microsoft Servers

This is not the first time hackers linked to China have been accused of targeting Microsoft’s server software. In 2021, attackers believed to be part of the Chinese hacking group known as Hafnium carried out a massive breach of self-hosted Microsoft Exchange servers. That attack compromised more than 60,000 servers worldwide, exposing email accounts, contact lists, and other private data.

The U.S. Justice Department later indicted two Chinese nationals connected to the Hafnium operation, accusing them of orchestrating the hacks and stealing trade secrets on behalf of China’s government.

This latest SharePoint attack fits a similar pattern, although the vulnerability is different, and the scale of the breach is still unfolding.

No Response From Beijing

A spokesperson for the Chinese Embassy in Washington, D.C. did not respond to requests for comment on the SharePoint breaches. Historically, the Chinese government has denied direct involvement in hacking campaigns, though it rarely offers detailed rebuttals when specific incidents are reported.

Cybersecurity experts say state-backed hacking remains a key part of China’s global strategy, allowing it to collect commercial, military, and diplomatic intelligence without formal diplomatic conflict.

What Organizations Should Do Now

Security teams managing self-hosted SharePoint environments are being urged to assume compromise unless they have airtight evidence to the contrary. Microsoft’s security guidance recommends:

• Applying all available patches immediately

• Conducting forensic reviews of server activity dating back to early July

• Checking for signs of lateral movement across the network

Even organizations that believe they’ve patched in time should review their systems for suspicious behavior. Once hackers gain access to internal networks, they often leave backdoors or other malicious code behind to maintain long-term control.

Hackers Are Turning Enterprise Software Into a Weapon

Chinese-linked hacking groups are now using the SharePoint zero-day to break into organizations not by attacking individual users, but by compromising the systems that manage their most sensitive data. SharePoint is a central tool for companies and government agencies worldwide—it stores internal documents, proprietary research, financial records, and confidential communication between departments. Gaining access to these systems gives attackers a direct route into the core of corporate and institutional operations.

Microsoft and Google have confirmed that at least three China-backed hacking groups are involved. Each is using the same exploit, but for different goals. One group is stealing trade secrets. Another is gathering personal information for espionage. A third has previously been linked to ransomware deployments.

Security analysts say the attackers have shifted from targeting endpoints to breaching the tools organizations use to run their daily operations. By exploiting enterprise collaboration software, these groups are gaining long-term access to networks, often without triggering alarms. The SharePoint zero-day is the latest example, and experts warn it may become one of the most damaging exploits seen this year.

Also Read: U.S. Cybersecurity Officials Warn: Hackers Are Stealing Passwords from TeleMessage Users