A zero-day exploit chain called "ToolShell" is actively being used to target on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, giving attackers persistent access even after organizations apply patches.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 has not been impacted.

Read on to understand the ToolShell threat and how to defend against it with hunting packages, including Nuclei and YARA rules, from Recorded Future.

The latest Tactics, Techniques, and Procedures (TTPs)

On July 23, 2025, researchers at LeakIX shared details that adversaries have swiftly evolved their TTPs to be stealthier and eliminate the reliance on .ASPX web shells. A new in-memory ToolShell payload has been identified that allows adversaries to leak ASP.NET machine keys directly from memory without leaving behind static artifacts. Adversaries no longer need to rely on static file-based indicators, making traditional detection methods such as checking for web shells unreliable. This new payload directly extracts sensitive machine keys and system information from memory and exfiltrates the data immediately via a single HTTP request, enabling rapid and stealthy compromise.

The Insikt Group® used Recorded Future’s Malware Intelligence feature to identify this new in-memory ToolShell payload and created a YARA rule capable of detecting the in-memory ToolShell payload.

This new ToolShell payload is available on Recorded Future’s public sandbox:

Background and first exploitation chain

Previously, cybersecurity researchers at Eye Security on July 18 published details of an ongoing mass exploitation campaign targeting internet-exposed on-premises SharePoint servers.

The ToolShell exploit chain combines two critical unauthenticated remote code execution vulnerabilities that specifically target on-premises SharePoint servers configured with hybrid Active Directory Federation Services (ADFS). These vulnerabilities are essentially sophisticated bypasses of earlier security fixes, demonstrating how threat actors continue to evolve their techniques in response to security efforts.

ToolShell represents an evolution of an exploit chain first demonstrated at Pwn2Own Berlin in May 2025, where security researchers combined an authentication-bypass vulnerability (CVE-2025-49706) with a remote code execution flaw (CVE-2025-49704). The current campaign uses:

• CVE-2025-53770, which exploits insecure deserialization to conduct remote code execution
• CVE-2025-53771, which bypasses authentication controls via path traversal

What makes this attack particularly dangerous is that successful exploitation provides threat actors with SharePoint's ValidationKey and DecryptionKey—cryptographic keys that enable persistent access to compromised servers even after security patches are applied.

Scale and impact

Recorded Future's Attack Surface Intelligence proactively scanned our customer base and confirmed that nearly 5% of organizations scanned with SharePoint servers were still susceptible to CVE-2025-53770. We immediately deployed alerts to affected customers within hours of implementing detection capabilities—giving them critical advance warning before the vulnerability gained widespread media attention.

Bloomberg reported on July 23 that there were over 400 victims of the exploitation campaign targeting on-premises Microsoft SharePoint servers.

Using Recorded Future's Malware Intelligence to identify and neutralize the ToolShell threat

Despite the updated TTP which allows attackers to no longer rely on static file-based indicators to leak ASP.NET machine keys, the Insikt Group® used the Recorded Future’s Malware Intelligence feature to identify several malicious artifacts tied to prior iteration of ToolShell exploitation campaign. These samples provide further insight into the exploit chain’s post-compromise behavior, particularly around key extraction, persistence, and web shell deployment.

Those previous static malware artifacts are all available on Recorded Future’s public sandbox:

Insikt Group®’s mitigation guidance is that, regardless of the presence or absence of suspicious files, organizations must proactively rotate all cryptographic keys.

With Malware Intelligence, Recorded Future customers can use natural language search to quickly surface these malware samples and any others that are related to the exploitation of the SharePoint CVEs.

Analysts can easily pivot to associated Intelligence Cards® for malware associations, sandbox results, Insikt Group® research, and detections from customers’ security tools.

Enable proactive defense with Recorded Future

Recorded Future customers can use the following tools and strategies to mitigate risk:

• Get the Insikt Group® Nuclei template. Download our YAML file to access a Nuclei template for CVE-2025-53770. The template sends a GET request to SharePoint Server’s "/_vti_pvt/service.cnf" endpoint, extracts the "vti_extenderversion" build number, and checks to see if it’s within the documented vulnerable ranges.
• Use the latest YARA rule. Download our .yar file to access a YARA rule capable of detecting the in-memory ToolShell payload.
• Leverage our Attack Surface Intelligence (ASI) Module. While the new ToolShell TTP does not rely on .ASPX web shells, Recorded Future previously released a signature on July 19 to detect the persistent web shell, “spinstall0.aspx,” indicating the presence of a ToolShell backdoor implant. On July 20, we released a signature to detect vulnerable SharePoint server versions to CVE-2025-53770. Since then, all new ASI scans will detect those signatures. Customers can also run an on-demand scan anytime. (Note: Recorded Future has reached out to the customers with confirmed signature detections in their ASI scans.)

• Use our Vulnerability Intelligence Module. Get helpful context on CVE-2025-53770 to aid in patching and prioritization discussions.

Microsoft’s guidance to protect your organization

Based on Microsoft's guidance, organizations should take these steps immediately:

For SharePoint 2019 and later:

• Apply July 2025 security updates immediately.
• Enable Antimalware Scan Interface (AMSI).
• Rotate SharePoint Server ASP.NET machine keys.

For SharePoint 2016:

• Apply July 2025 security updates immediately.
• Monitor for any suspicious activity or unauthorized access.
• Consider migrating to supported versions or cloud alternatives.

For all versions:

• Conduct scanning for IP addresses:
  • 104.238.159[.]149
  • 131.226.2[.]6
  • 134.199.202[.]205
  • 188.130.206[.]168

Find the complete Microsoft advisory here.

• CISA additionally recommends conducting scanning for IP addresses 96.9.125[.]147, 104.238.159[.]149, and 107.191.58[.]76 particularly between July 18-19, 2025.
• Eye Security also recommends scanning for the following IP addresses, observed after July 21:
  • 34.72.225[.]196
  • 34.121.207[.]116
  • 45.77.155[.]170
  • 45.191.66[.]77
  • 64.176.50[.]109
  • 141.164.60[.]10
  • 206.166.251[.]228

Who’s behind the attack, and what will happen next?

On July 22, 2025, Microsoft disclosed that at least three Chinese state-sponsored threat actors have been exploiting the ToolShell zero-day since at least July 7, 2025. These are Linen Typhoon (which historically overlaps with TAG-67 as tracked by Recorded Future), Violet Typhoon (which historically overlaps with RedBravo as tracked by Recorded Future), and Storm-2603. The actors exploited CVE-2025-49704 (RCE) and CVE-2025-49706 (spoofing) to compromise on-premises SharePoint servers, with additional vulnerabilities CVE-2025-53770 and CVE-2025-53771 affecting previously patched systems.

Linen Typhoon has been known to exploit zero-day and n-day vulnerabilities for initial access, and to exploit known vulnerabilities years after they were initially disclosed. For example, in 2021, the threat group exploited a zero-day vulnerability in Zoho AdSelf Service Plus.

Chinese threat groups have increasingly adopted internet-facing appliance exploitation as a scalable initial access strategy, allowing them to establish footholds across numerous organizations simultaneously.

Insikt Group® assesses at this stage that it is likely that multiple other threat groups beyond Linen Typhoon, Violet Typhoon, and Storm-2603 will actively seek to exploit on-premise SharePoint instances, especially following the public release of proof-of-concept exploit code.

Our intelligence indicates that the current campaign represents an early phase of what will likely become a prolonged exploitation effort. We will continue to monitor and analyze the threat in real time and will share any updates on intelligence and mitigation strategies as they become available.