ToolShell Exploit Chain Puts Thousands of SharePoint Servers at Risk

A zero-day exploit chain called "ToolShell" is actively being used to target on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, giving attackers persistent access even after organizations apply patches.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 has not been impacted.

Read on to understand the ToolShell threat and how to defend against it with hunting packages, including Nuclei and YARA rules, from Recorded Future.

The latest Tactics, Techniques, and Procedures (TTPs)

On July 23, 2025, researchers at LeakIX shared details that adversaries have swiftly evolved their TTPs to be stealthier and eliminate the reliance on .ASPX web shells. A new in-memory ToolShell payload has been identified that allows adversaries to leak ASP.NET machine keys directly from memory without leaving behind static artifacts. Adversaries no longer need to rely on static file-based indicators, making traditional detection methods such as checking for web shells unreliable. This new payload directly extracts sensitive machine keys and system information from memory and exfiltrates the data immediately via a single HTTP request, enabling rapid and stealthy compromise.

The Insikt Group® used Recorded Future’s Malware Intelligence feature to identify this new in-memory ToolShell payload and created a YARA rule capable of detecting the in-memory ToolShell payload.

This new ToolShell payload is available on Recorded Future’s public sandbox:

File Name
SHA256
osvmhdfl.dll
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997

Background and first exploitation chain

Previously, cybersecurity researchers at Eye Security on July 18 published details of an ongoing mass exploitation campaign targeting internet-exposed on-premises SharePoint servers.

The ToolShell exploit chain combines two critical unauthenticated remote code execution vulnerabilities that specifically target on-premises SharePoint servers configured with hybrid Active Directory Federation Services (ADFS). These vulnerabilities are essentially sophisticated bypasses of earlier security fixes, demonstrating how threat actors continue to evolve their techniques in response to security efforts.

ToolShell represents an evolution of an exploit chain first demonstrated at Pwn2Own Berlin in May 2025, where security researchers combined an authentication-bypass vulnerability (CVE-2025-49706) with a remote code execution flaw (CVE-2025-49704). The current campaign uses:

What makes this attack particularly dangerous is that successful exploitation provides threat actors with SharePoint's ValidationKey and DecryptionKey—cryptographic keys that enable persistent access to compromised servers even after security patches are applied.

Scale and impact

Recorded Future's Attack Surface Intelligence proactively scanned our customer base and confirmed that nearly 5% of organizations scanned with SharePoint servers were still susceptible to CVE-2025-53770. We immediately deployed alerts to affected customers within hours of implementing detection capabilities—giving them critical advance warning before the vulnerability gained widespread media attention.

Bloomberg reported on July 23 that there were over 400 victims of the exploitation campaign targeting on-premises Microsoft SharePoint servers.

Using Recorded Future's Malware Intelligence to identify and neutralize the ToolShell threat

Despite the updated TTP which allows attackers to no longer rely on static file-based indicators to leak ASP.NET machine keys, the Insikt Group® used the Recorded Future’s Malware Intelligence feature to identify several malicious artifacts tied to prior iteration of ToolShell exploitation campaign. These samples provide further insight into the exploit chain’s post-compromise behavior, particularly around key extraction, persistence, and web shell deployment.

Those previous static malware artifacts are all available on Recorded Future’s public sandbox:

File Name
SHA256
spinstall0.aspx
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
cve.ps1
30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27
App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll
8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

Insikt Group®’s mitigation guidance is that, regardless of the presence or absence of suspicious files, organizations must proactively rotate all cryptographic keys.

With Malware Intelligence, Recorded Future customers can use natural language search to quickly surface these malware samples and any others that are related to the exploitation of the SharePoint CVEs.

Figure 1: Malware Hunting Query for Samples Related to CVE-2025-53770 using Malware Intelligence (Source: Recorded Future)

Analysts can easily pivot to associated Intelligence Cards® for malware associations, sandbox results, Insikt Group® research, and detections from customers’ security tools.

Figure 2: SHA256 Hash Intelligence Card® for a ToolShell malware sample, “spinstall0.aspx” (Source: Recorded Future)

Enable proactive defense with Recorded Future

Recorded Future customers can use the following tools and strategies to mitigate risk:

Figure 3: Attack Intelligence Signatures to detect CVE-2025-53770 and web shell “spinstall0.aspx” (Source: Recorded Future)
Figure 4: Vulnerability Intelligence Card® for CVE-2025-53770 in Recorded Future (Source: Recorded Future)

Microsoft’s guidance to protect your organization

Based on Microsoft's guidance, organizations should take these steps immediately:

For SharePoint 2019 and later:

For SharePoint 2016:

For all versions:

Find the complete Microsoft advisory here.

Who’s behind the attack, and what will happen next?

On July 22, 2025, Microsoft disclosed that at least three Chinese state-sponsored threat actors have been exploiting the ToolShell zero-day since at least July 7, 2025. These are Linen Typhoon (which historically overlaps with TAG-67 as tracked by Recorded Future), Violet Typhoon (which historically overlaps with RedBravo as tracked by Recorded Future), and Storm-2603. The actors exploited CVE-2025-49704 (RCE) and CVE-2025-49706 (spoofing) to compromise on-premises SharePoint servers, with additional vulnerabilities CVE-2025-53770 and CVE-2025-53771 affecting previously patched systems.

Linen Typhoon has been known to exploit zero-day and n-day vulnerabilities for initial access, and to exploit known vulnerabilities years after they were initially disclosed. For example, in 2021, the threat group exploited a zero-day vulnerability in Zoho AdSelf Service Plus.

Chinese threat groups have increasingly adopted internet-facing appliance exploitation as a scalable initial access strategy, allowing them to establish footholds across numerous organizations simultaneously.

Insikt Group® assesses at this stage that it is likely that multiple other threat groups beyond Linen Typhoon, Violet Typhoon, and Storm-2603 will actively seek to exploit on-premise SharePoint instances, especially following the public release of proof-of-concept exploit code.

Our intelligence indicates that the current campaign represents an early phase of what will likely become a prolonged exploitation effort. We will continue to monitor and analyze the threat in real time and will share any updates on intelligence and mitigation strategies as they become available.