{“lastseen”:”2026-06-22T17:06:54″,”description”:”What began as a routine ransomware investigation quickly revealed something far more complex. In this ninth cyberattack series report, DART details how a single intrusion uncovered parallel activity from two unrelated threat actors operating simultaneously\u2014blending tactics, obscuring signals, and challenging traditional assumptions about how multi-stage intrusion campaigns unfold across hybrid environments. Read on to learn more or access the full report.\\n\\nRead the full cyberattack report\\n\\n## What happened? \\n\\nThe investigation revealed a multi-stage intrusion that blended familiar ransomware activity with quieter, more deliberate techniques designed to establish deep and lasting access. DART found that Storm-2603 had been targeting on-premises SharePoint servers since mid-2025, exploiting known vulnerabilities while simultaneously probing for additional entry points through reconnaissance activity\u2014such as requests for sensitive configuration files often used to validate local file inclusion weaknesses. In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion. While exploitation wasn\u2019t confirmed, the timing and activity suggest reconnaissance for entry points.\\n\\nOnce inside, the threat actor shifted focus to persistence and control. Using legitimate tools to blend in, they deployed Velociraptor with SYSTEM-level privileges to map the environment, then established multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. Velociraptor, a legitimate forensic and incident response tool, was deployed by the threat actor to map the environment and operate with high-level privileges\u2014blending malicious activity with trusted administrative behavior. Privilege escalation followed, with new local and domain administrator accounts created to maintain access, while defense evasion techniques\u2014including the use of a vulnerable driver to tamper with memory and disable protections\u2014helped reduce their visibility. \\n\\nAs DART correlated activity across the environment, investigators uncovered signs of a second, unrelated threat actor operating in parallel. Malicious dynamic link library (DLL) sideloading and custom backdoors\u2014techniques not associated with Storm-2603\u2014introduced an additional layer of complexity, obscuring attribution and complicating detection. Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion.\\n\\n\\u003e **_Dynamic link library (DLL) sideloading is popular with threat actors because it can be misused to hide behind trusted software (execution looks legitimate), to evade detection by running inside known applications, and to execute payloads, install backdoors, or maintain persistence_.**\\n\\n## How did Microsoft respond? \\n\\nDART moved quickly to contain the active intrusion involving multiple threat actors and stabilize the environment, activating a structured response playbook focused on limiting threat actor impact and restoring control. By correlating telemetry across identities, endpoints, and cloud resources, responders established a unified view of the intrusion, enabling them to detect abnormal behavior, uncover credential misuse, and track threat actor activity as it evolved. Continuous coordination with the customer, including daily briefings, ensured that containment actions were timely, aligned, and effective in reducing further threat actor movement.\\n\\nAt the same time, collaboration with Microsoft Threat Intelligence provided critical context that reshaped the investigation. By connecting incident data with broader intelligence, DART identified two distinct threat actors operating simultaneously within the same environment\u2014each masking the other\u2019s activity and complicating detection. Beyond containment, the team delivered targeted guidance to strengthen the organization\u2019s security posture, helping close visibility gaps and improve resilience against future identity compromise and ransomware-driven attacks.\\n\\n## What can customers do to strengthen their defenses?\\n\\nThis case underscores the importance of closing common gaps across exposure, identity, and visibility. Organizations should prioritize rigorous patching and vulnerability management\u2014especially for internet-facing systems\u2014to reduce the risk of initial access. At the same time, strengthening identity security is critical to limiting threat actor escalation and persistence. At a high level, customers can avoid similar cyberattacks by focusing on ways to: \\n\\n * **Establish broad, continuous visibility** : \\nDeploy endpoint protection widely and retain telemetry centrally to support detection, investigation, and correlation.\\n * **Monitor and restrict trusted tools** : \\nValidate and oversee the use of remote access, tunneling, and administrative tools that threat actors may exploit for persistence and lateral movement.\\n * **Prepare for rapid, coordinated response** : \\nMaintain tested incident response playbooks and ensure teams can quickly isolate compromised users, devices, and access paths to reduce dwell time.\\n\\n\\n\\nToday\u2019s modern cyberattacks can quickly evolve beyond a single incident-blending tactic, spanning environments, and even involving multiple threat actors operating in parallel. For security teams, the takeaway is clear: isolated signals rarely tell the full story. Organizations that invest in connected telemetry, coordinated response, and operational preparedness will be better positioned to detect adversary activity such as credential abuse and lateral movement earlier, contain active intrusions faster, and limit their overall impact. \\n\\n## What is the Cyberattack Series? \\n\\nIn our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share: \\n\\n## cyberattack series no. 8 \\n\\nRead the report \u203a\\n\\n * How the cyberattack happened.\\n * How the breach was discovered.\\n * Microsoft\u2019s investigation and eviction of the threat actor.\\n * Strategies to avoid similar cyberattacks.\\n\\n\\n\\nDART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We\u2019re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.\\n\\nGet the full cyberattack report\\n\\n## Learn more\\n\\nTo learn more about DART capabilities, please visit our website, or contact your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\nThe post One intrusion, two cyberattackers: Uncovering parallel threat activity appeared first on Microsoft Security Blog.”,”published”:”2026-06-22T16:00:00″,”modified”:”2026-06-22T16:00:00″,”type”:”mssecure”,”title”:”One intrusion, two cyberattackers: Uncovering parallel threat activity”,”source”:””,”references”:””,”id”:”MSSECURE:CF0DF7C3EB80152C88888F486283926B”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/22\/one-intrusion-two-cyberattackers-uncovering-parallel-threat-activity\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T17:06:54″,”description”:”What began as a routine ransomware investigation quickly revealed something far more complex. In this ninth cyberattack series report, DART details how a single intrusion…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-64790","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n