Ransomware gangs join attacks targeting Microsoft SharePoint servers

Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.

Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).

The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).

The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.

“Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said.

The 4L4MD4R ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems.

​Microsoft and Google have also linked the ToolShell attacks to Chinese threat actors, with Microsoft security researchers naming three separate state-backed hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

To date, numerous high-profile targets have been compromised in this ongoing campaign, including the U.S. National Nuclear Security Administration, the Department of Education, Florida’s Department of Revenue, the Rhode Island General Assembly, and government networks in Europe and the Middle East.

“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”

Dutch cybersecurity firm Eye Security first detected ToolShell exploitation targeting CVE-2025-49706 and CVE-2025-49704 in zero-day attacks, initially identifying 54 compromised organizations, including government entities and multinational companies. Check Point Research subsequently revealed exploitation signs dating to July 7, targeting government, telecommunications, and technology organizations across North America and Western Europe.

Microsoft has patched the two flaws with the July 2025 Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) for zero-days exploited to compromise fully patched SharePoint servers.

Eye Security Chief Technology Officer Piet Kerkhofs has also told BleepingComputer that the actual scope extends far beyond initial estimates, with the firm’s data indicating that the attackers have infected at least 400 servers with malware across the networks of at least 148 organizations, many of which have been compromised for extended periods.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2025-53770 remote code execution vulnerability, part of the ToolShell exploit chain, to its catalog of exploited flaws and ordered federal agencies to secure their systems within 24 hours.