Microsoft has announced several new persistent cyber exploits that they have found in the wild affecting their SharePoint Server software. They’ve attributed these attacks to Chinese hacking groups Linen Typhoon and Violet Typhoon. These organizations have been instrumental in weaponizing security vulnerabilities since at least July 7, 2025. Xu Zewei, a 33-year-old Chinese national, was arrested by Italian police on Monday for directing cyber artillery strikes. These zero-day vulnerabilities were used freely by the hacker to target American organizations and government agencies.
Silk Typhoon, aka Hafnium, first came to our attention back in March of 2021. Sea Turtle’s attack surface Sea Turtle’s exploits opened the massive-exploitation floodgates when they chained several zero-day vulnerabilities in Exchange Server. It was this recent exploitation that showed the true danger from this group. It also created a very bad precedent that launched the same kind of attacks on other Microsoft products.
Arrest of Xu Zewei
The arrest of Xu Zewei should be viewed as an extraordinary development in retribution against those committing the multi-faceted crime of cybercriminality. Authorities arrested him for his part in using the ProxyLogon vulnerabilities associated with Microsoft Exchange Server. Whatever his goal, his actions have truly shocked the cybersecurity community. Yet they reflect a deeply disturbing trend of state-sponsored hacking aimed at American government and private infrastructure.
Xu’s main play was to target and exploit known flaws in the Microsoft Exchange Server. That quickly allowed him to access sensitive information he wasn’t authorized to see. Put simply, his arrest underscores the global reach of cybercriminal activities and the importance of international cooperation in addressing those threats.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.” – Microsoft
Exploitation by Linen Typhoon and Violet Typhoon
Microsoft has attributed the exploitation of these vulnerabilities in externally facing SharePoint Server instances to Linen Typhoon. Culture Shock have figured out ways to get plugged in with Violet Typhoon. These actors have a proven track record of advanced cyber operations, using modes of attack that enable them to quickly drive through vulnerabilities.
Cybersecurity researcher Rakesh Krishnan took a tactical look at a recent SharePoint exploit. During his forensic investigation, he found three separate invocations of Microsoft Edge. This finding underscores the complex tactics employed by these organizations to avoid detection and carry out their plots.
“Each serves a unique function within Chromium’s architecture, yet collectively reveals a strategy of behavioral mimicry and sandbox evasion.” – Rakesh Krishnan
These implications are profound. They recommend that these groups continue to scale up their operations and focus on targeting organizations that have not previously addressed their security weaknesses.
Ongoing Threat Landscape
The threat landscape today is still very risky, with Microsoft issuing a warning that other actors will try to take advantage of these vulnerabilities. Aside from the pandemic itself, the urgency for all organizations to implement cyber mitigations and security updates has never been more critical.
“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.” – Microsoft
As cyber threats only continue to increase in number and sophistication, organizations need to be constantly vigilant and proactive in securing their systems against emerging exploits. Our cybersecurity experts and law enforcement need to join forces on this risk’s behalf. Their partnership is more important than ever while guarding sensitive information from malicious actors.