Microsoft’s DART Report Exposes Ransomware Attack With A Hidden Second Hacker

Show Quick Read

Key points generated by AI, verified by newsroom

• Microsoft discovered two separate hacking groups operating simultaneously.
• Their parallel operations made detection extremely difficult initially.
• Storm-2603 exploited SharePoint; another group used DLL sideloading.
• Microsoft recommends patching systems, securing high-privilege accounts.

Microsoft has uncovered a complex cyberattack involving two separate hacking groups operating at the same time, rather than one after another, making the activity far harder to detect. The findings come from a Microsoft Incident Response (DART) report, which found that the intrusion combined familiar ransomware methods with additional tactics aimed at securing long-term access to victim systems. 

Investigators traced the activity to a known group called Storm-2603, but soon found a second, unrelated attacker working independently within the same environment, leading to a much wider probe than originally expected.

How Did Investigators Discover Two Separate Hacking Groups?

According to the report, the initial probe pointed to lateral movement that went beyond the first affected organisation and into a second one. When researchers reached out, that second entity confirmed it had also been hit by the same ransomware activity linked to Storm-2603. However, a deeper analysis carried out with Microsoft Threat Intelligence showed that a different, unconnected threat actor was also active in the same systems.

ALSO READ: GTA 6 PC Release Date: Everything We Know So Far

“Two distinct threat activity streams were operating in parallel, rather than sequentially, making them difficult to detect in isolation,” the researchers said, adding that the full scale of the attack only became clear once identity, endpoint, and cloud telemetry were studied together.

Microsoft said Storm-2603 had been targeting on-premises SharePoint servers since mid 2025 by exploiting publicly known vulnerabilities. Meanwhile, the second group showed signs of DLL sideloading, a method that can be used to hide behind trusted software while installing backdoors or maintaining persistent access. The report did not disclose the scale of losses caused by the attackers.

What Should Organisations Do To Stay Protected?

“This case highlights a growing reality: modern attacks are not always isolated events. Sometimes they are overlapping campaigns that demand coordinated visibility and response,” Microsoft said.

ALSO READ: Quote Of The Day | Bill Gates On Why Failure Matters More Than Success

The company recommended several steps to reduce risk, including patching internet-facing systems quickly, treating high-privilege accounts as a major attack surface, deploying endpoint protection across all systems in advance, and avoiding security gaps created by inconsistent or delayed tool rollouts.