A Microsoft SharePoint vulnerability chain has been the focus of continuing attacks by cybercriminals who has teamed up to be a ransomware gangs. This is part of a larger exploitation effort that has already resulted in the penetration of at least 148 organisations globally.
A 4L4MD4R ransomware variant, based on open-source Mauri870 code, was found by security researchers at Palo Alto Networks’ Unit 42 while investigating events employing this SharePoint exploit chain (named “ToolShell”).
After identifying a trojan loader that downloads and runs the ransomware from theinnovationfactory[.]it (145.239.97[.]206), the ransomware was identified on July 27.
After a failed effort at exploitation that exposed malicious PowerShell commands intended to turn off security monitoring on the targeted device, the loader was discovered.
“The 4L4MD4R payload was found to be GoLang-written and UPX-packed on analysis. When the sample is executed, it loads memory to load the decrypted PE file, decrypts an AES-encrypted payload in memory, and starts a new thread to run it,” Unit 42 stated.
The 4L4MD4R ransomware creates ransom notes and encrypted file lists on hacked computers, encrypts files on the compromised system, and wants 0.005 Bitcoin in payment.
Google and Microsoft have also connected Chinese threat actors to the ToolShell attacks; according to Microsoft security experts, three distinct state-sponsored hacker organizations which are Linen Typhoon, Violet Typhoon, and Storm-2603 are involved.
This campaign has so far compromised a number of high-profile targets, including as the Department of Education, the U.S. National Nuclear Security Administration, the Department of Revenue in Florida, the General Assembly of Rhode Island, and government networks in Europe and the Middle East.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers,” stated Microsoft. Furthermore, we have seen that Storm-2603, a threat actor based in China, is taking advantage of these weaknesses. The use of these exploits by other actors is still being investigated.
ToolShell exploitation targeting CVE-2025-49706 and CVE-2025-49704 was first discovered by Dutch cybersecurity firm Eye Security in zero-day assaults, initially identifying 54 vulnerable organisations, including government agencies and international corporations. Check Point Research later discovered evidence of exploitation that dates back to 7 July and targets technology, telecommunications, and government organisations in Western Europe and North America.
In addition to assigning two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) for zero-days used to compromise fully patched SharePoint servers, Microsoft fixed the two vulnerabilities in the July 2025 Patch Tuesday releases.
The actual scope goes far beyond initial estimates, according to Eye Security Chief Technology Officer Piet Kerkhofs, who told a media agency that the attackers have infected at least 400 servers with malware across the networks of at least 148 organisations, many of which have been compromised for extended periods of time.
In addition to ordering government agencies to secure their systems within 24 hours, the Cybersecurity and Infrastructure Security Agency (CISA) has added the ToolShell exploit chain’s CVE-2025-53770 remote code execution vulnerability to its list of exploited vulnerabilities.
This comes at a time when Heimdal Security shared some safety advised on SharePoint zero-day (CVE-2025-53770) under active exploitation.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
