{ "id": "b7f867bf-3608-4556-be2d-c1c2ee044dc5", "created_at": "2026-04-06T00:12:27.224098Z", "updated_at": "2026-04-10T13:11:35.737091Z", "deleted_at": null, "sha1_hash": "2f03a5787e258c2951250b2f0526457b1b6a7715", "title": "Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 641368, "plain_text": "Disrupting active exploitation of on-premises SharePoint vulnerabilities |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-07-22 · Archived: 2026-04-02 11:58:22 UTC\r\nJuly 23, 2025 update – Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by\r\nStorm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution,\r\nIndicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS\r\nfor emphasis), Detections, and Hunting sections.\r\nOn July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code\r\nexecution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint\r\nOnline in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of\r\nSharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities.\r\nCustomers should apply these updates immediately to ensure they are protected.\r\nThese comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related\r\nto the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706. \r\nAs of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon\r\nexploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other\r\nactors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high\r\nconfidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint\r\nsystems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on\r\ntactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our\r\ninvestigation continues.\r\nMicrosoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security\r\nupdates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable\r\nAntimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises\r\nSharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers\r\nshould also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy\r\nMicrosoft Defender for Endpoint or equivalent solutions.\r\nObserved tactics and techniques\r\nMicrosoft observed multiple threat actors conducting reconnaissance and attempting exploitation of on-premises SharePoint\r\nservers through a POST request to the ToolPane endpoint.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 1 of 17\n\nFigure 1. POST request to ToolPane endpoint\r\nPost-exploitation activities\r\nThreat actors who successfully executed the authentication bypass and remote code execution exploits against vulnerable\r\non-premises SharePoint servers have been observed using a web shell in their post-exploitation payload.\r\nWeb shell deployment\r\nIn observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named\r\nspinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx,\r\nspinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the\r\nuser through a GET request, enabling the theft of the key material by threat actors.\r\nRelated IOCs and hunting queries\r\nMicrosoft provides indicators of compromise (IOCs) to identify and hunt for this web shell in the Indicators of compromise\r\nsection of this blog. Microsoft provides related hunting queries to find this dropped file in the Hunting queries section of this\r\nblog.\r\nAttribution\r\nAs early as July 7, 2025, Microsoft analysis suggests threat actors were attempting to exploit CVE-2025-49706 and CVE-2025-49704 to gain initial access to target organizations. These actors include Chinese state actors Linen Typhoon and Violet\r\nTyphoon and another China-based actor Storm-2603.  The TTPs employed in these exploit attacks align with previously\r\nobserved activities of these threat actors.\r\nLinen Typhoon\r\nSince 2012, Linen Typhoon has focused on stealing intellectual property, primarily targeting organizations related to\r\ngovernment, defense, strategic planning, and human rights. This threat actor is known for using drive-by compromises and\r\nhistorically has relied on existing exploits to compromise organizations.\r\nViolet Typhoon\r\nSince 2015, the Violet Typhoon activity group has been dedicated to espionage, primarily targeting former government and\r\nmilitary personnel, non-governmental organizations (NGOs), think tanks, higher education, digital and print media, financial\r\nand health related sectors in the United States, Europe, and East Asia. This group persistently scans for vulnerabilities in the\r\nexposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells.\r\nStorm-2603\r\nThe group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor.\r\nMicrosoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat\r\nactor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although\r\nMicrosoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently\r\nunable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603\r\ndeploying ransomware using these vulnerabilities.\r\nInitial access and delivery\r\nThe observed attack begins with the exploitation of an internet-facing on-premises SharePoint server, granting Storm-2603\r\ninitial access to the environment using the spinstall0.aspx payload described earlier in this blog. This initial access is used to\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 2 of 17\n\nconduct command execution using the w3wp.exe process that supports SharePoint. Storm-2603 then initiates a series of\r\ndiscovery commands, including whoami, to enumerate user context and validate privilege levels. The use of cmd.exe and\r\nbatch scripts is also observed as the actor transitions into broader execution phases. Notably, services.exe is abused to\r\ndisable Microsoft Defender protections through direct registry modifications.\r\nPersistence\r\nStorm-2603 established persistence through multiple mechanisms. In addition to the spinstall0.aspx web shell, the threat\r\nactor also creates scheduled tasks and manipulates Internet Information Services (IIS) components to load suspicious .NET\r\nassemblies. These actions ensure continued access even if initial vectors are remediated.\r\nAction on objectives\r\nThe threat actor performs credential access using Mimikatz, specifically targeting the Local Security Authority Subsystem\r\nService (LSASS) memory to extract plaintext credentials. The actor moves laterally using PsExec and the Impacket toolkit,\r\nexecuting commands using Windows Management Instrumentation (WMI).\r\nStorm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised\r\nenvironments.\r\nFigure 2. Storm-2603 attack chain exploiting SharePoint vulnerabilities and leading to ransomware\r\nAdditional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further\r\nemphasizing the need for organizations to implement mitigations and security updates immediately.\r\nMitigation and protection guidance\r\nMicrosoft has released security updates that fully protect customers using all supported versions of SharePoint affected\r\nby CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately.\r\nCustomers using SharePoint Server should follow the guidance below.\r\n1. Use or upgrade to supported versions of on-premises Microsoft SharePoint Server.\r\nSupported versions: SharePoint Server 2016, 2019, and SharePoint Subscription Edition\r\n2. Apply the latest security updates.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 3 of 17\n\n3. Ensure the Antimalware Scan Interface is turned on and configured correctly and deploy Defender Antivirus\r\non all SharePoint servers\r\nConfigure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal\r\nprotection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers\r\nfrom exploiting this vulnerability.\r\nNote: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server\r\n2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.\r\nIf you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until\r\nyou have applied the most current security update linked above. If the server cannot be disconnected from the\r\ninternet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit\r\nunauthenticated traffic.\r\n4. Deploy Microsoft Defender for Endpoint, or equivalent solutions\r\nWe recommend organizations to deploy Defender for Endpoint to detect and block post-exploit activity.\r\n5. Rotate SharePoint Server ASP.NET machine keys\r\nAfter applying the latest security updates above or enabling AMSI, it is critical that customers rotate\r\nSharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint\r\nservers.\r\n1. Manually using PowerShell\r\nTo update the machine keys using PowerShell, use the Set-SPMachineKey cmdlet.\r\n2. Manually using Central Admin: Trigger the Machine Key Rotation timer job by performing the\r\nfollowing steps:\r\nNavigate to the Central Administration site.\r\nGo to Monitoring -\u003e Review job definition.\r\nSearch for Machine Key Rotation Job and select Run Now.\r\n6. Restart IIS on all SharePoint servers using iisreset.exe. NOTE: If you cannot enable AMSI, you will need to rotate\r\nyour keys and restart IIS after you install the new security update.\r\n7. Implement your incident response plan.\r\nTo protect against post-exploitation activity, including ransomware deployment, Microsoft recommends the following\r\nmitigations:\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge\r\nmajority of new and unknown variants.\r\nRead our human-operated ransomware blog for advice on developing a holistic security posture to prevent\r\nransomware, including credential hygiene and hardening recommendations.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint – or equivalent\r\nEDR solution – can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or\r\nwhen Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-breach.\r\nConfigure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to\r\ncontain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to\r\nremediate the attack fully.\r\nEnable LSA protection.\r\nEnable and configure Credential Guard.\r\nEnsure that tamper protection is enabled in Microsoft Defender for Endpoint.\r\nEnable controlled folder access.\r\nMicrosoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques.\r\nAttack surface reduction rules are sweeping settings that stop entire classes of threats. The following bullet points\r\noffer more guidance on specific mitigation advice:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 4 of 17\n\nUse advanced protection against ransomware.\r\nBlock credential stealing from the Windows local security authority subsystem.\r\nBlock process creations originating from PSExec and WMI commands.\r\nIndicators of compromise\r\nIndicator Type Description\r\nSpinstall0.aspx\r\nFile\r\nname\r\nWeb shell used by threat actors  \r\nActors have also modified the fi\r\nname in a variety of ways – such\r\nas spinstall.aspx, spinstall1.aspx\r\nspinstall2.aspx\r\nIIS_Server_dll.dll\r\nFile\r\nname\r\nStorm-2603 IIS Backdoor\r\nSharpHostInfo.x64.exe\r\nFile\r\nName\r\nPentest tool observed during\r\nattack that is used to collect host\r\ninformation using NetBIOS,\r\nSMB, and WMI\r\nxd.exe\r\nFile\r\nName\r\nFast reverse proxy tool used to\r\nconnect to C2 IP 65.38.121[.]19\r\ndebug_dev.js\r\nFile\r\nname\r\nFile containing web config data,\r\nincluding MachineKey data\r\n\\1[5-6]\\TEMPLATE\\LAYOUTS\\debug_dev.js\r\nFile\r\npath\r\nFile path for stolen web configs\r\n92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\r\nSHA-256\r\nHash of spinstall0.aspx\r\n24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf\r\nSHA-256\r\nWeb shell that leverages http \u0026\r\ncurl to receive and execute\r\ncommands from Storm-2603 C2\r\n“update[.]updatemicfosoft[.]com\r\nb5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0\r\nSHA-256\r\nWeb shell that leverages sockets\r\nDNS to receive and execute\r\ncommands from Storm-2603 C2\r\n“update[.]updatemicfosoft[.]com\r\nc27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94\r\nSHA-256\r\nWeb shell that leverages sockets\r\nDNS to receive and execute\r\ncommands from Storm-2603 C2\r\n“update[.]updatemicfosoft[.]com\r\n1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192\r\nSHA-256\r\nWeb shell that leverages sockets\r\nDNS to receive and execute\r\ncommands from Storm-2603 C2\r\n“update[.]updatemicfosoft[.]com\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 5 of 17\n\n4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\nf54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\nb180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\nffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\nc2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\n6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619\r\nSHA-256\r\nObserved hash for\r\nIIS_Server_dll.dll (Storm-2603\r\nIIS Backdoor)\r\nd6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d\r\nSHA-256\r\nHash for SharpHostInfo.x64.exe\r\n62881359e75c9e8899c4bc9f452ef9743e68ce467f8b3e4398bebacde9550dea\r\nSHA-256\r\nHash for xd.exe\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 6 of 17\n\nc34718cbb4c6.ngrok-free[.]app/file.ps1 URL\r\nNgrok tunnel delivering\r\nPowerShell to C2\r\nmsupdate[.]updatemicfosoft[.]com URL C2 domain for Storm-2603\r\n131.226.2[.]6 IP Post exploitation C2\r\n134.199.202[.]205 IP\r\nIP address exploiting SharePoint\r\nvulnerabilities\r\n104.238.159[.]149 IP\r\nIP address exploiting SharePoint\r\nvulnerabilities\r\n188.130.206[.]168 IP\r\nIP address exploiting SharePoint\r\nvulnerabilities\r\n65.38.121[.]198 IP\r\nPost-exploitation C2 for Storm-2603\r\nMicrosoft Defender XDR coverage\r\nMicrosoft Defender XDR customers get coordinated protection across endpoints, identities, email, and cloud apps to detect,\r\nprevent, investigate, and respond to threats like the SharePoint exploitation activity described in this blog. \r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and\r\nrespond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nThe following table outlines the tactics observed in the exploitation attacks discussed in this blog, along with Microsoft\r\nDefender protection coverage at each stage of the attack chain: \r\nTactic  Observed activity  Microsoft Defender coverage \r\nInitial\r\nAccess \r\nUse of known vulnerabilities to\r\nexploit internet-facing SharePoint\r\nservers \r\nMicrosoft Defender Antivirus\r\n– Exploit:Script/SuspSignoutReq.A \r\n– Exploit:Script/SuspSignoutReqBody.A  \r\nMicrosoft Defender for Endpoint \r\n– ‘SuspSignoutReq’ malware was blocked on a\r\nSharePoint server \r\n– Possible exploitation of SharePoint server\r\nvulnerabilities \r\nExecution  Use of a web shell to run PowerShell\r\nand exfiltrate sensitive data (e.g.,\r\nMachineKey); Batch scripts and\r\ncmd.exe to launch PsExec for remote\r\nexecution; Attempts to disable\r\nMicrosoft Defender protections\r\nthrough registry edits using the\r\nservice control manager; Escalation\r\nof privileges to SYSTEM using\r\nPsExec with the -s flag; Use of\r\nImpacket to execute commands\r\nMicrosoft Defender Antivirus \r\n– Trojan:Win32/HijackSharePointServer.A \r\nMicrosoft Defender for Endpoint \r\n– Suspicious IIS worker process behavior\r\n– Suspicious scheduled task – Impacket toolkit\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 7 of 17\n\nremotely over WMI without writing\r\nfiles to disk\r\nPersistence \r\nInstallation of web shell after\r\nexploiting SharePoint vulnerability;\r\nIIS worker process loaded\r\nsuspicious .NET assembly;\r\nScheduled task  for persistence\r\nfollowing initial access\r\nMicrosoft Defender Antivirus \r\n–\r\nTrojan:PowerShell/MachineKeyFinder.DA!amsi \r\nMicrosoft Defender for Endpoint \r\n– Possible web shell installation – IIS worker\r\nprocess loaded suspicious .NET assembly\r\nCredential\r\nAccess\r\nMimikatz used to run module\r\n“sekurlsa::logonpasswords”, which\r\nlists all available credentials\r\nMicrosoft Defender for Endpoint\r\n– Mimikatz credential theft tool\r\nLateral\r\nMovement\r\nImpacket is observed leveraging\r\nWindows Management\r\nInstrumentation to remotely stage\r\nand execute payloads\r\nMicrosoft Defender for Endpoint\r\n– A remote resource was accessed suspiciously\r\n– Compromised account conducting hands-on-keyboard attack\r\n– Ongoing hands-on-keyboard attack via\r\nImpacket toolkit\r\nCollection \r\nWeb shell used to extract\r\nMachineKey data \r\nMicrosoft Defender Antivirus \r\n–\r\nTrojan:PowerShell/MachineKeyFinder.DA!amsi \r\nMicrosoft Defender for Endpoint \r\n– Possible web shell installation\r\nImpact\r\nFiles encrypted in compromised\r\nenvironments as part of ransomware\r\nattack\r\nMicrosoft Defender for Endpoint\r\n– Ransomware-linked threat actor detected\r\n– Potentially compromised assets exhibiting\r\nransomware-like behavior\r\n– Ransomware behavior detected in the file\r\nsystem\r\n– Possible compromised user account delivering\r\nransomware-related file\r\n– Potential human-operated malicious activity\r\nNote: These alerts can also be triggered by unrelated threat activity \r\nVulnerability management\r\nCustomers using Microsoft Defender Vulnerability Management can identify exposed devices and track remediation efforts\r\nbased on the following CVEs: \r\nCVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE \r\nCVE-2025-53771 – SharePoint ToolShell Path Traversal \r\nCVE-2025-49704 – SharePoint RCE \r\nCVE-2025-49706 – SharePoint Post-auth RCE \r\nNavigate to Vulnerability management \u003e Weaknesses and filter by these CVE IDs to view exposed devices, remediation\r\nstatus, and Evidence of Exploitation tags.\r\nYou can also use this unified advanced hunting query:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 8 of 17\n\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\r\n\"CVE-2025-49704\",\r\n\"CVE-2025-49706\",\r\n\"CVE-2025-53770\",\r\n\"CVE-2025-53771\")\r\nExternal Attack Surface Management (Defender EASM) \r\nMicrosoft Defender External Attack Surface Management (Defender EASM) provides visibility into exposed internet-facing\r\nSharePoint instances. The following Attack Surface Insights may indicate vulnerable but not necessarily exploited services: \r\nCVE-2025-49704 – SharePoint RCE \r\nCVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE \r\nCVE-2025-53771 – SharePoint ToolShell Path Traversal \r\nNote: A “Potential” insight signals that a service is detected but version validation is not possible. Customers should\r\nmanually verify patching status. \r\nHunting queries\r\nMicrosoft Defender XDR\r\nTo locate possible exploitation activity, run the following queries in Microsoft Defender XDR security center.  \r\nSuccessful exploitation using file creation  \r\nLook for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. \r\nDeviceFileEvents\r\n| where FolderPath has_any (\"microsoft shared\\\\Web Server Extensions\\\\15\\\\TEMPLATE\\\\LAYOUTS\", \"microsoft\r\nshared\\\\Web Server Extensions\\\\16\\\\TEMPLATE\\\\LAYOUTS\")\r\n| where FileName contains \"spinstall\" or FileName contains \"spupdate\" or FileName contains \"SpLogoutLayout\" or\r\nFileName contains \"SP.UI.TitleView\"\r\nor FileName contains \"queryruleaddtool\" or FileName contains \"ClientId\"\r\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName,\r\nFolderPath, ReportId, ActionType, SHA256\r\n| order by Timestamp desc\r\nPost-exploitation PowerShell dropping web shell\r\nLook for process creation where w3wp.exe is spawning encoded PowerShell involving the spinstall0.aspx file or the file\r\npaths it’s been known to be written to.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName has \"w3wp.exe\"\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 9 of 17\n\nand InitiatingProcessCommandLine !has \"DefaultAppPool\"\r\nand FileName =~ \"cmd.exe\"\r\nand ProcessCommandLine has_all (\"cmd.exe\", \"powershell\")\r\nand ProcessCommandLine has_any (\"EncodedCommand\", \"-ec\")\r\n| extend CommandArguments = split(ProcessCommandLine, \" \")\r\n| mv-expand CommandArguments to typeof(string)\r\n| where CommandArguments matches regex \"^[A-Za-z0-9+/=]{15,}$\"\r\n| extend B64Decode = replace(\"\\\\x00\", \"\", base64_decodestring(tostring(CommandArguments)))\r\n| where B64Decode contains \"spinstall\" or B64Decode contains \"spupdate\" or B64Decode contains \"SpLogoutLayout\"\r\nor B64Decode contains \"SP.UI.TitleView\"\r\nor B64Decode contains \"queryruleaddtool\" or B64Decode contains \"ClientId\" and B64Decode contains\r\n@'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS' or B64Decode contains\r\n@'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS'\r\nPost-exploitation web shell dropped\r\nLook for the web shell dropped using the PowerShell command.\r\nDeviceFileEvents\r\n| where Timestamp \u003eago(7d)\r\n| where InitiatingProcessFileName=~\"powershell.exe\"\r\n| where FileName contains \"spinstall\" or FileName contains \"spupdate\" or FileName contains \"SpLogoutLayout\" or\r\nFileName contains \"SP.UI.TitleView\"\r\nor FileName contains \"queryruleaddtool\" or FileName contains \"ClientId\"\r\nExploitation detected by Defender\r\nLook at Microsoft Defender for Endpoint telemetry to determine if specific alerts fired in your environment.\r\nAlertEvidence\r\n| where Timestamp \u003e ago(7d)\r\n| where Title has \"SuspSignoutReq\"\r\n| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),\"\")\r\n| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title),\r\nmake_set_if(_DeviceKey, isnotempty(_DeviceKey) )\r\nUnified advanced hunting queries\r\nFind exposed devices\r\nLook for devices vulnerable to the CVEs listed in blog.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 10 of 17\n\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\"CVE-2025-49704\",\"CVE-2025-49706\",\"CVE-2025-53770\",\"CVE-2025-53771\")\r\nWeb shell C2 communication\r\nFind devices that may have communicated with Storm-2603 web shell C2, that may indicate a compromised device\r\nbeaconing to Storm-2603 controlled infrastructure.\r\nlet domainList = dynamic([\"update.updatemicfosoft.com\"]);\r\nunion\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\n| project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\n| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 11 of 17\n\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable =\r\n\"VMConnection\"\r\n),\r\n(\r\nW3CIISLog\r\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\n| where UrlDomain has_any(domainList)\r\n| project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n)\r\n| order by TimeGenerated desc\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nOur post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in\r\ngeneral. Several hunting queries are also available below: \r\nWeb shell detection\r\nPossible Webshell drop\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 12 of 17\n\nMalicious web application requests linked with Microsoft Defender for Endpoint alerts \r\nWeb shell activity \r\nBelow are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both\r\nMicrosoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from\r\nGitHub, using an ARM template or manually.\r\nDetect network indicators of compromise and file hashes using ASIM\r\n//IP list and domain list- _Im_NetworkSession\r\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\r\nlet ioc_domains = dynamic([\"c34718cbb4c6.ngrok-free.app\"]);\r\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\r\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\r\n//IP list - _Im_WebSession\r\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\r\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\r\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\r\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\r\n// file hash list - imFileEvent\r\nlet ioc_sha_hashes = dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\r\nimFileEvent\r\n| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)\r\n| extend AccountName = tostring(split(User, @'')[1]),\r\nAccountNTDomain = tostring(split(User, @'')[0])\r\n| extend AlgorithmType = \"SHA256\"\r\nPost exploitation C2 or file hashes\r\nFind devices that may have communicated with Storm-2603 post exploitation C2 or contain known Storm-2603 file hashes.\r\n//IP list - _Im_WebSession\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 13 of 17\n\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\r\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\",\r\n\"24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf\",\r\n\"b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0\",\r\n\"c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94\",\r\n\"1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192\",\r\n\"4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928\",\r\n\"83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060\",\r\n\"f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441\",\r\n\"b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d\",\r\n\"6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d\",\r\n\"7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68\",\r\n\"567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443\",\r\n\"445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86\",\r\n\"ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a\",\r\n\"6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5\",\r\n\"c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139\"]);\r\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\r\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\r\nStorm-2603 C2 communication\r\nLook for devices that may have communicated with Storm-2603 C2 infrastructure as part of this activity.\r\n//IP list and domain list- _Im_NetworkSession\r\nlet lookback = 30d;\r\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\r\nlet ioc_domains = dynamic([\"update.updatemicfosoft.com\"]);\r\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\r\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 14 of 17\n\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\r\nEventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\r\nMicrosoft Security Copilot\r\nMicrosoft Security Copilot customers can use the standalone experience to create their own prompts or run the following\r\nprebuilt promptbooks to automate incident response or investigation tasks related to this threat:\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft\r\nSentinel.\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender Threat Intelligence\r\nCVE-2025-53770 – Microsoft SharePoint server remote code execution vulnerability\r\nStorm-2603 exploiting on-premises SharePoint vulnerabilities to distribute Warlock ransomware\r\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat\r\nIntelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal\r\nto get more information about this threat actor.\r\nMITRE ATT\u0026CK techniques observed \r\nThreat actors have exhibited use of the following attack techniques. For standard industry documentation about these\r\ntechniques, refer to the MITRE ATT\u0026CK framework. \r\nInitial Access\r\nT1190 Exploit public-facing application | Use of known vulnerabilities to exploit internet-facing on-premises\r\nSharePoint severs \r\nDiscovery\r\nT1033 System Owner/User Discovery | Whoami commands run after initial access and privilege escalation\r\nExecution\r\nT1059.001 Command and scripting interpreter: PowerShell | Use of a web shell to run PowerShell to read and\r\ntransmit MachineKey data to attacker\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell | Use of batch scripts and cmd.exe to\r\nexecute PsExec\r\nT1569.002 System Services: Service Execution | Windows service control manager is abused to disable Microsoft\r\nDefender protections through registry modifications and launch PsExec\r\nT1543.003 Create or Modify System Process: Windows Service | PsExec is leveraged Windows services to escalate\r\nprivileges from administrator to SYSTEM with the -s argument\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 15 of 17\n\nT1047 Windows Management Instrumentation | Impacket is used to execute commands through WMI\r\nPersistence\r\nT1505.003 Server software component: web shell | Threat actors install web shell after exploiting SharePoint\r\nvulnerability\r\nT1505.004 Server Software Component: IIS Components | IIS worker process is loaded suspicious .NET assembly\r\nT1053.005 Scheduled Task/Job: Scheduled Task | Scheduled task is created to maintain persistence following initial\r\naccess\r\nPrivilege Escalation\r\nT1484.001 Domain or Tenant Policy Modification: Group Policy Modification | GPO modification deployed batch\r\nscripts for ransomware deployment\r\nDefense Evasion\r\nT1620 Reflective code loading | Reflectively loaded payloads\r\nT1562.001 Impair Defenses: Disable or Modify Tools | Disabling Microsoft Defender via registry modifications\r\nT1112 Modify Registry | Disabling Microsoft Defender via registry modifications\r\nCredential Access\r\nT1003.001 OS Credential Dumping: LSASS Memory | Mimikatz is used to run module sekurlsa::logonpasswords,\r\nwhich lists all available credentials\r\nLateral Movement\r\nT1570 Lateral Tool Transfer | Impacket is observed leveraging Windows Management Instrumentation to remotely\r\nstage and execute payloads\r\nCollection\r\nT1119 Automated collection | Use of web shell to display MachineKey data\r\nT1005 Data from Local System | Host and local system information gathered by adversary during attack\r\nCommand and Control\r\nT1090 Proxy, Technique | Fast reverse proxy tool used for C2 communications\r\nImpact\r\nT1486 Data Encrypted for Impact | Files are encrypted in victim environments as part of ransomware attack\r\nReferences\r\nCVE-2025-53770 (MSRC)\r\nCVE-2025-49704 (MSRC\r\nCVE-2025-49706 (MSRC\r\nCVE-2025-53771 (MSRC)\r\nLearn more\r\nMeet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at\r\nour VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your\r\nsecurity posture.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 16 of 17\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter),\r\nand Bluesky.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/" ], "report_names": [ "disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities" ], "threat_actors": [ { "id": "1c98eeb8-c867-4d83-83bd-afe64822c122", "created_at": "2025-08-20T02:04:43.136556Z", "updated_at": "2026-04-10T02:00:03.834617Z", "deleted_at": null, "main_name": "GOLD SALEM", "aliases": [ "Storm-2603 ", "Warlock Group" ], "source_name": "Secureworks:GOLD SALEM", "tools": [ "AV Killer", "Babuk", "Cloudflared", "Everything", "Impacket", "LockBit", "Mimikatz", "PsExec", "Velociraptor", "Warlock" ], "source_id": "Secureworks", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7420db21-a401-4518-8eac-f27fcd5869ca", "created_at": "2025-07-24T02:00:03.054727Z", "updated_at": "2026-04-10T02:00:02.904838Z", "deleted_at": null, "main_name": "Storm-2603", "aliases": [], "source_name": "MISPGALAXY:Storm-2603", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434347, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f03a5787e258c2951250b2f0526457b1b6a7715.pdf", "text": "https://archive.orkl.eu/2f03a5787e258c2951250b2f0526457b1b6a7715.txt", "img": "https://archive.orkl.eu/2f03a5787e258c2951250b2f0526457b1b6a7715.jpg" } }