Ransomware gangs exploit Microsoft SharePoint flaws in global attacks

Chinese state-backed hackers linked to ongoing attacks

Ransomware gangs have escalated a cyberattack campaign targeting Microsoft SharePoint servers, joining forces with suspected Chinese state-backed hackers and pushing the total number of compromised organisations past 148 worldwide.

Security analysts at Palo Alto Networks' Unit 42 say attackers are exploiting a recently disclosed Microsoft SharePoint vulnerability chain, dubbed "ToolShell", which has become the basis for widespread exploitation by both cybercriminals and advanced persistent threat (APT) groups.

"Unit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers. While SaaS environments remain unaffected, self-hosted SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk," the researchers said.

"Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys," they warned.

Among the most concerning developments is the discovery of a new ransomware variant named 4L4MD4R, which has already been used in active attacks.

The malware, based on the open-source Mauri870 ransomware code, was first detected on 27th July. The discovery followed a failed intrusion attempt that exposed malicious PowerShell commands intended to disable security monitoring on the targeted systems.

The attackers used a custom malware loader that retrieves and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).

Upon execution, the loader decrypts an AES-encrypted payload in memory, allocates system resources for a PE file, and launches it in a new thread – behaviour characteristic of ransomware deployment.

The 4L4MD4R payload is UPX-packed and written in GoLang. It encrypts files on infected systems, generating ransom notes and encrypted file lists, and demands a payment of 0.005 Bitcoin to unlock the data.

Chinese state actors behind initial exploits

Microsoft and Google have both linked the ToolShell campaign to Chinese nation-state actors, with Microsoft attributing various phases of the attacks to three known threat groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

The campaign has already resulted in breaches at several high-profile organisations, including: the US National Nuclear Security Administration, US Department of Education, Florida Department of Revenue, Rhode Island General Assembly, and government agencies in Europe and the Middle East.

The initial ToolShell exploits, targeting CVE-2025-49706 and CVE-2025-49704, were first uncovered by Dutch cybersecurity firm Eye Security, which detected attacks on 54 organisations, including multinational firms and government agencies.

Additional research by Check Point found evidence of exploitation targeting entities across North America and Western Europe in the government, telecommunications, and technology sectors.

Microsoft has since patched the two zero-days in its July 2025 Patch Tuesday update, reclassifying them under newly assigned CVE IDs, CVE-2025-53770 and CVE-2025-53771, after discovering that attackers were also compromising fully patched SharePoint servers.

Federal emergency response

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770, a remote code execution vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog, ordering all federal agencies to patch affected systems within 24 hours.

Security experts are now strongly advising organisations using vulnerable on-premises SharePoint servers to take the following immediate actions: