Microsoft is warning that a China-based hacking group is chaining together fresh zero-day vulnerabilities in what it describes as rapid, high-impact ransomware attacks. The activity, which targets organizations around the world, reflects a shift toward faster intrusion-to-encryption timelines that leave defenders little room to react.
The company says the attackers are exploiting flaws in widely used enterprise software to gain initial access, move laterally, and deploy ransomware in compressed windows of time. Security teams now face a threat model in which patch delays of even a few days can translate directly into operational shutdowns and data extortion.
What happened
Microsoft has linked the activity to a China-based threat actor that specializes in exploiting newly discovered vulnerabilities before most organizations can deploy fixes. According to the company, the group is abusing multiple zero-day flaws in enterprise platforms and then pivoting quickly to deploy ransomware once inside a network. Microsoft described the campaign as a series of fast-moving operations in which initial compromise, privilege escalation, and data encryption can occur within hours.
The attackers have focused on internet-facing business applications that often sit deep in corporate workflows. Microsoft highlighted exploitation of a critical SharePoint vulnerability that allowed remote code execution on unpatched servers. Security researchers reported that the flaw gave intruders the ability to upload and execute arbitrary files, which the China-based group used to drop web shells, establish persistence, and stage ransomware payloads. Microsoft has urged administrators running affected SharePoint versions to apply the relevant security updates and to audit for any suspicious uploads or configuration changes.
One detailed advisory on the campaign describes how the group uses automated scanning to identify vulnerable systems, then launches tailored exploits in what Microsoft called a rapid attack pattern. Once a target is compromised, the attackers deploy lightweight tools to harvest credentials, map the network, and disable security controls. In several cases, Microsoft observed the group moving from initial access to ransomware deployment in less than a day, a pace that outstrips traditional incident response playbooks.
Reporting on the campaign notes that Microsoft has been tracking the threat actor through its security telemetry and has pushed new detections to products such as Microsoft Defender. The company has also shared indicators of compromise with customers and partners so they can search for signs of the same intrusion chain. In its description of the threat, Microsoft emphasized that the group is not only fast but also adaptable, frequently shifting infrastructure and tooling once defenders begin to block known indicators.
The campaign builds on earlier activity tied to a SharePoint zero-day that was actively exploited before Microsoft released a fix. At the time, security researchers documented how attackers used the SharePoint bug to gain a foothold in corporate environments, then installed web shells and backdoors that persisted even after patches were applied. Microsoft later shipped a targeted fix for that SharePoint zero-day, but the current wave of attacks shows that similar techniques remain attractive to sophisticated actors.
More recent analysis of the China-based campaign explains that the group is now pairing the SharePoint flaw with other unpatched vulnerabilities to build multi-stage attack chains. In some incidents, the attackers reportedly gained initial access through the SharePoint bug, then leveraged additional privilege escalation exploits to reach domain controllers and file servers. From there, they pushed ransomware across Windows endpoints and servers, often using legitimate administrative tools to blend into normal network traffic.
Microsoft described these incidents as involving what it called rapid attack zero-days, a phrase that reflects both the novelty of the vulnerabilities and the speed at which they are weaponized. Coverage of the campaign notes that the company has seen the group target organizations in multiple regions and sectors, including manufacturing, professional services, and regional government entities. In several cases, victims reported simultaneous data theft and encryption, which suggests that the attackers are preparing to use double extortion tactics even if the initial ransom demand is not met.
Why it matters
The use of fresh zero-day vulnerabilities for ransomware has serious implications for how organizations think about patching and perimeter defense. In the past, many ransomware crews relied on known bugs or stolen credentials, which gave defenders a chance to mitigate risk by applying updates on a predictable schedule. Microsoft’s warning that a China-based group is actively exploiting brand-new flaws for fast encryption attacks signals that the window between disclosure and exploitation has narrowed to almost zero.
Security analysts point out that the SharePoint vulnerability illustrates this shift. Microsoft has said that attackers were exploiting the SharePoint flaw to deploy ransomware even as many organizations were still evaluating the patch. Because SharePoint often sits at the center of document collaboration and workflow automation, a successful attack can disrupt core business processes, interrupt customer-facing services, and expose large volumes of sensitive data.
The campaign also highlights the growing convergence of state-linked tradecraft with financially motivated crime. Microsoft has attributed the activity to a China-based actor, and coverage of the campaign notes that the group’s techniques resemble those used in espionage intrusions, including careful reconnaissance and selective targeting. Yet the endgame in these cases is ransomware and extortion, not just data theft. That combination suggests that some state-aligned or state-tolerated groups are increasingly comfortable using financially disruptive tactics when it suits their objectives.
For defenders, the speed of these intrusions changes the calculus of incident response. Traditional models assume that security teams have days or weeks to detect lateral movement before attackers trigger destructive actions. Microsoft’s telemetry on the current campaign indicates that the China-based group often moves from initial exploit to domain-wide ransomware in a single workday. That pace makes continuous monitoring, automated containment, and pre-planned playbooks far more important than ad hoc investigation after an alert.
The reporting also underscores the limits of perimeter-focused security. In several incidents, the attackers reportedly used legitimate administrative tools such as PowerShell and PsExec after the initial exploit, which allowed them to blend in with normal operations. Microsoft has responded by updating its ransomware detections to look for behavioral patterns rather than specific malware signatures. Organizations that still rely heavily on signature-based antivirus or manual log review will struggle to keep up with this type of threat.
There is also a supply chain dimension. Enterprise platforms like SharePoint, along with other collaboration and identity tools, form the backbone of modern business. When a zero-day in one of these products becomes a preferred entry point for a fast-moving ransomware crew, the blast radius extends well beyond a single victim. Managed service providers, regional hosting firms, and partner networks can all become conduits for the same exploit chain if they run vulnerable software and reuse administrative credentials across clients.
Coverage of the campaign notes that Microsoft has been working with customers to harden exposed services, including guidance on isolating critical applications, enforcing multifactor authentication, and tightening access controls around administrative interfaces. However, the company has also acknowledged that many organizations still struggle with basic hygiene such as timely patching and asset inventory. The gap between sophisticated attackers and under-resourced defenders is precisely where rapid zero-day exploitation for ransomware can cause the most damage.
Public reporting on the China-based campaign has already prompted renewed scrutiny of how quickly vendors disclose and fix serious flaws. In the case of the earlier SharePoint zero-day, Microsoft faced questions about how long the vulnerability had been exploited before a patch became available. The new wave of attacks has intensified pressure on software providers to shorten their patch development cycles and to provide clearer mitigation guidance for customers who cannot apply updates immediately.
What to watch next
Security teams and executives will be watching several fronts as this campaign unfolds. One key question is whether the China-based threat actor will expand its targeting beyond the current mix of sectors and geographies. Reporting already notes that the group has hit organizations across the world, and there is little reason to believe it will confine itself to a narrow set of industries if the technique continues to yield ransom payments.
