An all-you-can-eat buffet for threat actors

ESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities

24 Jul 2025
 • 
,
5 min. read

On July 19, 2025, Microsoft confirmed that a set of zero-day vulnerabilities in SharePoint Server called ToolShell is being exploited in the wild. ToolShell is comprised of CVE-2025-53770, a remote code execution vulnerability, and CVE‑2025‑53771, a server spoofing vulnerability. These attacks target on-premises Microsoft SharePoint servers, specifically those running SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016. SharePoint Online in Microsoft 365 is not impacted. Exploiting these vulnerabilities enables threat actors to gain entry to restricted systems and steal sensitive information.

Starting from July 17, ToolShell has been widely exploited by all sorts of threat actors, from petty cybercriminals to nation-state APT groups. Since SharePoint is integrated with other Microsoft services, such as Office, Teams, OneDrive, and Outlook, this compromise can provide the attackers a staggering level of access across the affected network.

As part of the attack, the threat actors often chain together four vulnerabilities: the previously patched CVE‑2025‑49704 and CVE-2025-49706, alongside the already mentioned CVE-2025-53770 and CVE-2025-53771. As of July 22, CVE‑2025‑53770 and CVE-2025-53771 have also been patched.

Webshell payloads

Exploiting ToolShell allows the attackers to bypass multi-factor authentication (MFA), and single sign-on (SSO). After getting inside the targeted server, attackers were seen deploying malicious webshells to extract information from the compromised system. One of the scripts frequently used for this purpose is named spinstall0.aspx, which we track as MSIL/Webshell.JS.

Additionally, on July 22, 2025, we observed that attackers attempted to deploy other simple ASP webshells capable of executing attacker-supplied commands via cmd.exe. These webshells were deployed using the following filenames: ghostfile346.aspx, ghostfile399.aspx, ghostfile807.aspx, ghostfile972.aspx, and ghostfile913.aspx.

ESET products first detected an attempt to exploit part of the execution chain – the Sharepoint/Exploit.CVE-2025-49704 vulnerability – on July 17 in Germany. However, because this attempt was blocked, the final webshell payload was not delivered to the targeted system. The first time we registered the payload itself was on July 18 on a server in Italy. As seen in Figure 1, we have since observed active ToolShell exploitation all over the world, with the US (13.3% of attacks) being the most targeted country according to our telemetry data.

Attack monitoring

Our monitoring of the ToolShell attacks from July 17 to July 22 revealed that they were coming from the IP addresses shown in Table 1 (all times are in UTC).

Table 1. Attacker IP addresses

Figure 2 shows the timeline of the attacks coming from the three most active IP addresses.

Concerningly, Microsoft has reported that several China-aligned threat actors have joined in on the exploitation attempts. From our side, we detected a backdoor associated with LuckyMouse – a cyberespionage group that targets mainly governments, telecommunications companies, and international organizations – on a machine in Vietnam targeted via ToolShell. At this stage, it remains unclear whether the system had been previously compromised or if the backdoor was introduced during the current attack.

Nevertheless, China-aligned APT groups have certainly seized the opportunity to add the exploit chain to their arsenals: according to our telemetry, the victims of the ToolShell attacks include several high-value government organizations that have been long-standing targets of these groups.

Since the cat is out of the bag now, we expect many more opportunistic attackers to take advantage of unpatched systems. The exploit attempts are ongoing and will surely continue. Therefore, if you are using SharePoint Server, the following is recommended (as per guidance from Microsoft):

• use only supported versions,
• apply the latest security updates,
• make sure that Antimalware Scan Interface is turned on and configured properly, with an appropriate cybersecurity solution, and
• rotate SharePoint Server ASP.NET machine keys.

For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected]. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 17 of the MITRE ATT&CK framework.