When Microsoft's Detection and Response Team (DART) investigated what appeared to be routine ransomware activity, they discovered something far more concerning: Storm-2603 had transformed a single SharePoint server compromise into a platform for running multiple, simultaneous attack operations. This wasn't just another breach—it was an operational multiplier, where one foothold enabled diverse attack paths that traditional incident response might miss. (Source: Microsoft)

The investigation revealed that Storm-2603 began targeting on-premises SharePoint servers in mid-2025, but their approach went beyond simple exploitation. While probing for vulnerabilities through requests for configuration files like win.ini and web.config, they simultaneously deployed Velociraptor—a legitimate forensic tool—with SYSTEM-level privileges to map the environment. This dual-purpose strategy meant your security team would see administrative activity that appeared legitimate while missing the reconnaissance happening in parallel.

What makes this intrusion particularly dangerous is how Storm-2603 established multiple, independent persistence mechanisms from that single entry point. They created remote access channels through Cloudflare tunneling, Zoho Assist, and SSH connections configured through Visual Studio Code. Each channel operated independently, so closing one wouldn't stop the others. Meanwhile, they escalated privileges by creating new local and domain administrator accounts, then used a vulnerable driver to tamper with memory and disable protections.

The complexity deepened when DART discovered a second, unrelated threat actor operating in the same environment. This parallel activity—involving DLL sideloading and custom backdoors not associated with Storm-2603—meant that security teams faced overlapping attack streams that masked each other's presence. Your incident response team could spend days chasing one threat while the other continued operating undetected, each actor's noise providing cover for the other's objectives.

Attack Chain: From Initial Compromise to Velociraptor Deployment

The attack chain begins with reconnaissance that extends beyond simple vulnerability scanning. Storm-2603's approach involves systematic probing of SharePoint server configurations, testing for local file inclusion weaknesses through targeted requests. This reconnaissance phase maps to MITRE ATT&CK technique T1595 (Active Scanning), where attackers identify exploitable services before attempting compromise.

Following initial access, the deployment of Velociraptor represents a calculated escalation in operational capability. Unlike traditional malware that focuses on single objectives, Velociraptor provides comprehensive forensic collection capabilities that attackers repurpose for reconnaissance. The tool operates with SYSTEM-level privileges, enabling unrestricted access to memory dumps, process listings, and file system artifacts across the compromised environment.

The mechanics of Velociraptor deployment reveal sophisticated operational security practices. Attackers configure the tool to blend with legitimate administrative activity, making detection through behavioral analysis challenging. MITRE ATT&CK technique T1055 (Process Injection) allows Velociraptor to operate within trusted processes, while T1078 (Valid Accounts) enables movement using compromised credentials rather than exploits that might trigger alerts.

What makes Velociraptor particularly dangerous in adversarial hands is its built-in capability for distributed collection. The tool can simultaneously gather artifacts from multiple endpoints, compress them for efficient exfiltration, and maintain persistent collection schedules. This transforms a single compromise into a platform for continuous intelligence gathering across your entire network infrastructure.

The establishment of multiple remote access channels demonstrates redundancy planning rarely seen in commodity attacks. Cloudflare tunneling provides encrypted command and control that appears as legitimate HTTPS traffic. Zoho Assist offers a backup channel through legitimate remote support infrastructure. SSH connections via Visual Studio Code create developer-mimicking traffic patterns that security teams often allowlist. Each channel maps to MITRE ATT&CK technique T1572 (Protocol Tunneling), ensuring sustained access even if individual channels are discovered.

Privilege escalation occurs through creation of both local and domain administrator accounts, corresponding to MITRE ATT&CK technique T1136 (Create Account). These accounts persist across password resets and provide fallback access if primary credentials are revoked. The use of vulnerable drivers for memory tampering aligns with T1068 (Exploitation for Privilege Escalation), disabling security controls at the kernel level where endpoint protection cannot intervene.

The parallel operation of a second threat actor introduces additional complexity through DLL sideloading techniques. This method exploits Windows' DLL search order to load malicious code through legitimate applications, mapping to MITRE ATT&CK technique T1574.002 (DLL Side-Loading). Custom backdoors deployed through this mechanism operate independently of Storm-2603's infrastructure, creating overlapping persistence that complicates complete remediation.

For security teams, this multi-layered approach means traditional incident response may miss critical components. The combination of legitimate tools, multiple access vectors, and parallel threat actor activity creates detection challenges that single-point security controls cannot address. Organizations need comprehensive telemetry correlation across identity systems, endpoint activity, and network traffic to identify these blended operations before significant damage occurs.

Business and Operational Impact of Parallel Attack Operations

When two unrelated threat actors operate within your network simultaneously, the traditional assumptions about incident scope and recovery timelines no longer apply. Your security team faces a fundamentally different challenge: instead of containing one attack with clear objectives, you're defending against multiple, overlapping campaigns that deliberately obscure each other's activities. This operational complexity transforms what might have been a manageable ransomware incident into a multi-front security crisis requiring significantly more resources to investigate and contain.

The presence of parallel attackers multiplies your data exposure risk exponentially. While Storm-2603 established persistence through remote access tools like Cloudflare tunneling and Zoho Assist, the second threat actor deployed DLL sideloading techniques and custom backdoors—each creating independent pathways for data exfiltration. Your sensitive information faces extraction through multiple channels simultaneously, with each actor potentially targeting different datasets. Customer records might flow through one channel while intellectual property exits through another, making comprehensive data loss assessment nearly impossible until both intrusions are fully mapped.

System availability becomes unpredictable when multiple actors compete for resources within your infrastructure. The deployment of Velociraptor with SYSTEM-level privileges by one actor, combined with memory tampering through vulnerable drivers by another, creates cascading performance impacts. Your critical business applications experience degradation from multiple sources—forensic collection tools consuming resources, backdoors maintaining persistent connections, and defensive evasion techniques modifying system behavior. Production systems that normally handle standard loads now struggle under the combined weight of parallel malicious operations.

For organizations with limited Security Operations Center (SOC) resources, this scenario represents an overwhelming detection and analysis burden. Your analysts must correlate signals across multiple attack patterns simultaneously—distinguishing between Storm-2603's legitimate tool abuse and the second actor's custom malware deployment requires deep forensic expertise. Each suspicious event requires investigation through multiple lenses: Is this activity from the known ransomware operator? The secondary threat actor? Or legitimate administrative action? This analytical complexity extends investigation timelines from days to weeks, during which both actors continue operating.

The incident response complexity escalates when containment actions against one actor potentially alert the other. Disabling remote access channels might prompt the second actor to accelerate their objectives, while removing one set of persistence mechanisms leaves others intact. Your incident response team must choreograph containment across multiple fronts without triggering destructive actions from either party. Daily briefings become essential coordination points, but even with continuous communication, the risk of incomplete eradication remains high.

Regulatory exposure intensifies when parallel intrusions compromise different compliance-regulated datasets. If one actor accesses payment card data while another exfiltrates healthcare records, you face multiple breach notification requirements under different regulatory frameworks. Organizations operating under GDPR, HIPAA, or PCI-DSS requirements face compounded penalties if the full scope of parallel compromises isn't properly documented and reported within mandated timeframes.

Detection and Hunting: Finding Storm-2603 and Velociraptor in Your Environment

Your immediate priority: search for Velociraptor artifacts across your environment today. Start with process creation events showing velociraptor.exe or Velociraptor.exe launching with SYSTEM privileges, particularly when spawned from unusual parent processes like cmd.exe or powershell.exe rather than legitimate administrative tools. Check Windows Event ID 4688 for process creation audit logs, focusing on command lines containing "artifacts collect" or "server" parameters that indicate active collection operations.

The presence of parallel threat actors creates distinctive behavioral patterns in your telemetry that single attackers rarely produce. Look for hosts exhibiting multiple suspicious child processes within short timeframes—SSH connections through Visual Studio Code alongside Cloudflare tunnel processes, combined with remote assistance tools like Zoho Assist. These overlapping remote access methods from the same endpoint signal competing persistence mechanisms rather than standard administrative activity.

Memory tampering through vulnerable drivers leaves specific traces in your logs. Search Sysmon Event ID 6 for driver loads, particularly unsigned or expired certificates loading into kernel space. Cross-reference these with Event ID 4657 registry auditing to identify modifications to HKLM\SYSTEM\CurrentControlSet\Services keys that enable driver persistence. When attackers disable security protections through driver exploitation, Windows Security Event 4616 captures system time changes that often accompany protection bypass attempts.

Your EDR telemetry should prioritize network connections to uncommon ports from processes running with elevated privileges. Velociraptor's client-server architecture generates predictable callback patterns—typically HTTPS connections on non-standard ports to command infrastructure. Filter for outbound connections from SYSTEM-context processes to IP addresses not in your organization's baseline, particularly those using ports 8000, 8080, or 8443 commonly used by Velociraptor deployments.

This week, expand your hunt to lateral movement indicators that reveal how attackers pivoted after establishing their foothold. Windows Event ID 4624 Type 3 network logons from newly created local administrator accounts warrant investigation, especially when followed immediately by Event ID 4672 special privilege assignments. These sequences indicate privilege escalation attempts that precede broader network compromise.

For comprehensive attack chain reconstruction over the coming month, correlate SharePoint IIS logs with authentication events. Look for HTTP requests to win.ini and web.config files in your SharePoint access logs, then trace forward to identify which accounts accessed the server after these reconnaissance attempts. The timeline between initial probing and privilege escalation reveals attacker dwell time and helps identify additional compromise indicators you may have missed.

In environments Capstone manages, SentinelOne detects process injection attempts and memory manipulation techniques that vulnerable drivers enable, blocking these protection bypass attempts before attackers establish deeper persistence. The platform's behavioral analysis identifies when legitimate tools like Velociraptor execute outside expected administrative workflows, generating high-priority alerts for investigation.

Configure your SIEM to aggregate these detection patterns into composite alerts. A single Velociraptor process might be legitimate incident response activity, but when combined with new administrator account creation, multiple remote access tools, and driver loading events, the correlation reveals active compromise requiring immediate containment.

Containment and Response: Stopping Parallel Attacks Before They Spread

Your first priority: immediately isolate any system showing signs of Velociraptor deployment or unusual remote access tool activity. Disconnect these systems from the network entirely—not just from the internet, but from all internal segments. This breaks command-and-control channels for both threat actors while preserving evidence. Complete this isolation within 15 minutes of detection, using out-of-band management interfaces where possible to avoid alerting attackers through monitored channels.

Before initiating any cleanup activities, preserve forensic artifacts from Velociraptor's operation. The tool creates extensive collection databases and logs that document exactly what the attackers accessed and exfiltrated. Copy these artifacts to offline storage immediately—typically found in C:\Program Files\Velociraptor\ or custom installation paths. These files contain critical intelligence about both threat actors' objectives and will inform your recovery strategy. Allocate 2-4 hours for comprehensive artifact collection across affected systems.

Your credential reset strategy must account for multiple compromise vectors operating simultaneously. Start with domain administrator accounts and any service accounts with elevated privileges—reset these within the first hour of response. Next, target accounts showing authentication from systems with Cloudflare tunneling, Zoho Assist, or SSH connections through Visual Studio Code. These represent confirmed lateral movement paths that both actors could exploit. Complete all privileged account resets within 6 hours, followed by standard user accounts within 24 hours.

Determining the full scope requires correlation across multiple data sources, since parallel operations deliberately obscure each other's tracks. Query your authentication logs for any account that authenticated to systems showing Velociraptor processes, remote access tool installations, or DLL sideloading indicators. Cross-reference these with network flow data to identify systems communicating with known command-and-control infrastructure. This scope determination typically requires 24-48 hours of focused analysis, but attempting recovery without complete visibility risks re-infection.

The presence of vulnerable driver exploitation for defense evasion means standard endpoint protection may be compromised on affected systems. Before bringing any system back online, boot from trusted media and verify the integrity of security tools. Check driver signing enforcement settings and audit installed drivers against known vulnerable driver databases. Any system where memory tampering occurred requires complete reimaging—patching alone won't remove sophisticated persistence mechanisms.

Recovery sequencing must prevent cross-contamination between cleaned and compromised segments. Start with domain controllers and authentication infrastructure, ensuring these are completely clean before restoring any dependent systems. Next, recover critical business applications in isolated network segments with enhanced monitoring. Only after validating these core systems should you begin restoring general user workstations. This phased approach typically spans 5-7 days but prevents re-infection that could extend the incident by weeks.

The parallel nature of this intrusion means you cannot assume a single objective or attack pattern. While one actor may focus on data theft, the other could be positioning for ransomware deployment. Your response must address both possibilities simultaneously—implementing controls for data exfiltration while also protecting against encryption attacks. This dual-focus approach requires more resources but prevents catastrophic oversight where stopping one attack enables the other.

Long-Term Hardening: Preventing Single-Point-of-Failure Intrusions

You must fundamentally restructure how your organization responds to initial compromise events. The parallel attack model demonstrated in this incident succeeds because traditional containment assumes a single threat actor with linear objectives. When multiple, unrelated attackers operate through the same entry point, your standard incident response playbook becomes a liability—isolating one threat actor's infrastructure while leaving the second's command channels intact.

Start by implementing strict network segmentation that prevents any single compromised system from becoming a platform for widespread access. Configure internal firewalls between SharePoint servers and domain controllers, between user workstations and administrative networks, and between production systems and backup infrastructure. This segmentation must enforce authentication boundaries—a compromised SharePoint service account should never possess permissions to create domain administrator accounts or access backup systems.

Your detection strategy requires behavioral correlation across multiple data streams to identify overlapping attack patterns. Configure your security information and event management (SIEM) platform to flag hosts exhibiting both remote access tool deployment and memory manipulation within the same time window. Set alerts for systems where multiple administrative tools launch with elevated privileges from different parent processes—a pattern that suggests competing threat actors establishing separate footholds.

The vulnerability driver technique used for defense evasion demands specific monitoring beyond standard endpoint protection. Deploy application control policies that block driver loading except through signed Windows Update packages. Monitor kernel callback modifications through Windows Defender Application Control (WDAC) events, particularly Event ID 3076 indicating blocked kernel drivers. These controls prevent attackers from disabling security tools through memory manipulation while maintaining visibility into attempted tampering.

Backup infrastructure represents a critical failure point when multiple attackers operate simultaneously. Implement immutable backup storage that prevents deletion or encryption even with compromised administrator credentials. Configure backup systems on isolated network segments with separate authentication domains—ensuring that domain administrator compromise cannot reach backup repositories. Test restoration procedures monthly, specifically validating that backups remain accessible when primary domain controllers are compromised.

Your incident response playbooks need explicit procedures for parallel threat scenarios. Document containment steps that assume multiple command-and-control channels: isolate affected systems from all network segments, not just internet access. Include forensic preservation requirements that capture artifacts from competing toolsets—preserving evidence from both legitimate tool abuse and custom malware deployment. Establish communication protocols that bypass potentially compromised channels, using out-of-band verification for critical containment decisions.

Adlumin's identity threat detection capabilities identify the authentication anomalies that signal parallel attacks across managed environments—tracking when multiple threat actors create separate privileged accounts or establish distinct persistence mechanisms through the same compromised system. The platform correlates these competing authentication patterns that traditional monitoring misses.

The success of parallel attacks depends on defenders missing the second threat actor while focusing on the obvious first intrusion. By implementing defense-in-depth that assumes compromise, maintaining visibility across all authentication and administrative tool usage, and preparing response procedures for multi-actor scenarios, you transform single-point compromises from platforms for sustained access into contained, manageable incidents.

The Critical Takeaway: Assume Parallel Operations in Your Incident Response

The fundamental shift you must make in your incident response planning: treat every initial compromise as if multiple threat actors are already operating through that same foothold. The Microsoft DART investigation demonstrates that when sophisticated actors like Storm-2603 establish access, the compromised infrastructure becomes a shared platform where unrelated attackers conduct independent operations. Your traditional assumption that one breach equals one attacker with one objective leaves you vulnerable to the second, third, or fourth campaign running through the same entry point.

This parallel operation model succeeds because each threat actor's activity provides cover for the others. While your team investigates ransomware deployment, a separate actor establishes backdoors through DLL sideloading. While you trace credential theft, another group exfiltrates intellectual property through different channels. The overlapping telemetry creates noise that masks individual campaigns, extending dwell time for all attackers involved.

The operational reality: your incident response must shift from linear containment to comprehensive mapping of all active operations. This means correlating telemetry across every identity, endpoint, and cloud resource touched by the initial compromise—not just following one attack path. Daily coordination between security teams becomes essential, as does collaboration with threat intelligence providers who can distinguish between different actors' techniques.

Your immediate action: implement detection rules for Velociraptor artifacts and configure hunting queries that identify parallel remote access tool deployments this week. Focus on systems showing multiple administrative tools launched within short timeframes, unusual combinations of legitimate software used for persistence, and overlapping command-and-control channels through different protocols. These patterns indicate multiple actors operating from a single compromised asset.