Redazione RHC : 5 August 2025 14:35
A massive campaign to exploit a series of vulnerabilities in Microsoft SharePoint continues to gather pace, now involving ransomware groups. While analyzing the series of attacks, Palo Alto Networks (Unit 42) discovered the introduction of the 4L4MD4R ransomware, a variant based on the open source code of Mauri870. Its activity is directly related to a series of exploits called ToolShell.
The first infection was detected on July 27, when a loader malware was detected that received and launched 4L4MD4R from the server theinnovationfactory[.]it at IP address 145.239.97[.]206. The reason for the detection was an unsuccessful exploit attempt involving PowerShell commands aimed at disabling security monitoring systems. This allowed specialists to uncover the attack architecture.
The cryptor itself is a compressed UPX file written in Go. Once launched, it decrypts the AES-encrypted executable file in memory, allocates a storage area for it, loads the contents, and starts execution in a separate thread. It then begins encrypting data on the infected system, generating files with a modified extension, a list of encrypted contents, and a ransom note. The ransom amount is relatively small: 0.005 bitcoin.
The ToolShell exploit chain, which exploits the CVE-2025-49706 and CVE-2025-49704 vulnerabilities, has become the subject of interest from several groups associated with Chinese government agencies. According to Microsoft, the attacks were carried out by at least three Chinese groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Previously, attacks have been reported worldwide: in North America, Europe, and the Middle East. Victims include the U.S. Department of Education, the National Nuclear Security Administration, the Florida Department of Revenue, the Rhode Island Legislature, and government systems in several European countries.
Initially, signs of ToolShell attacks were detected by the Dutch company Eye Security, which documented the infection of 54 organizations. However, subsequent analysis showed that this was only part of the picture. According to Piet Kerkhofs, CTO of Eye Security, at least 400 servers have been infected and the number of compromised organizations has reached 148, all while attackers have long been present in the infrastructure.
Check Point researchers found that the activity began at least as early as July 7, targeting governments, telecommunications companies, and technology organizations in Western Europe and North America. Despite Microsoft patching the vulnerabilities on Patch Tuesday in July, the attacks continued. The company has assigned new vulnerability identifiers CVE-2025-53770 and CVE-2025-53771, flaws that have been exploited to compromise even fully patched SharePoint servers.
Furthermore, CISA has added CVE-2025-53770 to the KEV catalog of actively exploited vulnerabilities and has required all federal agencies to address the threat within 24 hours of notification.
Overall, the attack demonstrates coordinated Strategic: Multiple groups are behind it, multi-stage exploits are used, targeted protections are disabled, and encryption is integrated. This points to the rise of hybrid threats, where the infection network is driven not only by cybercriminals, but also by state interests.
Redazione