Microsoft's DART Report Exposes Ransomware Attack With A Hidden Second Hacker

Microsoft's investigators expected to find one hacking group. Instead, they found two, working at the same time, inside the same system, without knowing about each other.

Written By : Annie Sharma | Updated at : 26 Jun 2026 10:49 AM (IST)

microsoft storm 2603 ransomware sharepoint attack dart report explained Microsoft's DART Report Exposes Ransomware Attack With A Hidden Second Hacker

Microsoft's DART report breaks down how it went undetected.

Source : Unsplash

Show Quick Read

Key points generated by AI, verified by newsroom

Microsoft discovered two separate hacking groups operating simultaneously.
Their parallel operations made detection extremely difficult initially.
Storm-2603 exploited SharePoint; another group used DLL sideloading.
Microsoft recommends patching systems, securing high-privilege accounts.

Microsoft has uncovered a complex cyberattack involving two separate hacking groups operating at the same time, rather than one after another, making the activity far harder to detect. The findings come from a Microsoft Incident Response (DART) report, which found that the intrusion combined familiar ransomware methods with additional tactics aimed at securing long-term access to victim systems.

Investigators traced the activity to a known group called Storm-2603, but soon found a second, unrelated attacker working independently within the same environment, leading to a much wider probe than originally expected.

How Did Investigators Discover Two Separate Hacking Groups?

According to the report, the initial probe pointed to lateral movement that went beyond the first affected organisation and into a second one. When researchers reached out, that second entity confirmed it had also been hit by the same ransomware activity linked to Storm-2603. However, a deeper analysis carried out with Microsoft Threat Intelligence showed that a different, unconnected threat actor was also active in the same systems.

ALSO READ: GTA 6 PC Release Date: Everything We Know So Far

"Two distinct threat activity streams were operating in parallel, rather than sequentially, making them difficult to detect in isolation," the researchers said, adding that the full scale of the attack only became clear once identity, endpoint, and cloud telemetry were studied together.

Microsoft said Storm-2603 had been targeting on-premises SharePoint servers since mid 2025 by exploiting publicly known vulnerabilities. Meanwhile, the second group showed signs of DLL sideloading, a method that can be used to hide behind trusted software while installing backdoors or maintaining persistent access. The report did not disclose the scale of losses caused by the attackers.

What Should Organisations Do To Stay Protected?

"This case highlights a growing reality: modern attacks are not always isolated events. Sometimes they are overlapping campaigns that demand coordinated visibility and response," Microsoft said.

ALSO READ: Quote Of The Day | Bill Gates On Why Failure Matters More Than Success

The company recommended several steps to reduce risk, including patching internet-facing systems quickly, treating high-privilege accounts as a major attack surface, deploying endpoint protection across all systems in advance, and avoiding security gaps created by inconsistent or delayed tool rollouts.

Frequently Asked Questions

What was unique about the cyberattack Microsoft uncovered?

Microsoft discovered a complex cyberattack involving two separate hacking groups operating simultaneously. This parallel activity made the intrusion far harder to detect than traditional attacks.

How did investigators identify two separate hacking groups?

An initial probe led to a second organization, also hit by ransomware. Deeper analysis with Microsoft Threat Intelligence then revealed a different, unconnected threat actor working in parallel within the same systems.

What methods did the two hacking groups use in the attack?

Storm-2603 exploited known vulnerabilities in on-premises SharePoint servers. The second group used DLL sideloading, a method to hide behind trusted software and maintain persistent access.

What does Microsoft recommend for organizations to stay protected?

Microsoft advises patching internet-facing systems quickly, treating high-privilege accounts as a major attack surface, and deploying endpoint protection. Avoiding security gaps created by inconsistent tool rollouts is also crucial.

About the author Annie Sharma

Annie Sharma is a technology journalist at ABP Live English, focused on breaking down complex tech stories into clear, reader-friendly narratives. Gaining hands-on experience in digital storytelling and news writing with leading publications, Annie believes technology should feel accessible rather than overwhelming, and follows a clear, reader-first approach in her work.

For tips and queries, you can reach out to her at annies@abpnetwork.com.