{ "id": "891801a4-e8d3-48b2-a574-fe262c7efec4", "created_at": "2026-04-06T00:11:49.523003Z", "updated_at": "2026-04-10T03:36:06.963441Z", "deleted_at": null, "sha1_hash": "ac41b40ccaa293dab11bfab2f1383e852f147efa", "title": "ToolShell: An all-you-can-eat buffet for threat actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 777052, "plain_text": "ToolShell: An all-you-can-eat buffet for threat actors\r\nBy ESET Research\r\nArchived: 2026-04-05 15:12:09 UTC\r\nESET Research\r\nESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities\r\n24 Jul 2025  •  , 5 min. read\r\nOn July 19th, 2025, Microsoft confirmed that a set of zero-day vulnerabilities in SharePoint Server called\r\nToolShell is being exploited in the wild. ToolShell is comprised of CVE-2025-53770, a remote code execution\r\nvulnerability, and CVE‑2025‑53771, a server spoofing vulnerability. These attacks target on-premises Microsoft\r\nSharePoint servers, specifically those running SharePoint Subscription Edition, SharePoint 2019, or SharePoint\r\n2016. SharePoint Online in Microsoft 365 is not impacted. Exploiting these vulnerabilities enables threat actors to\r\ngain entry to restricted systems and steal sensitive information.\r\nStarting from July 17th, ToolShell has been widely exploited by all sorts of threat actors, from petty\r\ncybercriminals to nation-state APT groups. Since SharePoint is integrated with other Microsoft services, such as\r\nOffice, Teams, OneDrive, and Outlook, this compromise can provide the attackers a staggering level of access\r\nacross the affected network.\r\nAs part of the attack, the threat actors often chain together four vulnerabilities: the previously patched\r\nCVE‑2025‑49704 and CVE-2025-49706, alongside the already mentioned CVE-2025-53770 and CVE-2025-\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 1 of 8\n\n53771. As of July 22, CVE‑2025‑53770 and CVE-2025-53771 have also been patched.\r\nWebshell payloads\r\nExploiting ToolShell allows the attackers to bypass multi-factor authentication (MFA), and single sign-on (SSO).\r\nAfter getting inside the targeted server, attackers were seen deploying malicious webshells to extract information\r\nfrom the compromised system. One of the scripts frequently used for this purpose is named spinstall0.aspx, which\r\nwe track as MSIL/Webshell.JS.\r\nAdditionally, on July 22nd, 2025, we observed that attackers attempted to deploy other simple ASP webshells\r\ncapable of executing attacker-supplied commands via cmd.exe. These webshells were deployed using the\r\nfollowing filenames: ghostfile346.aspx, ghostfile399.aspx, ghostfile807.aspx, ghostfile972.aspx, and\r\nghostfile913.aspx.\r\nESET products first detected an attempt to exploit part of the execution chain – the Sharepoint/Exploit.CVE-2025-\r\n49704 vulnerability – on July 17th in Germany. However, because this attempt was blocked, the final webshell\r\npayload was not delivered to the targeted system. The first time we registered the payload itself was on July 18th\r\non a server in Italy. As seen in Figure 1, we have since observed active ToolShell exploitation all over the world,\r\nwith the US (13.3% of attacks) being the most targeted country according to our telemetry data.\r\nFigure 1. Geographic distribution of ToolShell attacks from July 17, 2025 to July 22, 2025\r\nAttack monitoring\r\nOur monitoring of the ToolShell attacks from July 17th to July 22nd revealed that they were coming from the IP\r\naddresses shown in Table 1 (all times are in UTC).\r\nTable 1. Attacker IP addresses\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 2 of 8\n\nIP address Attack start date Attack end date\r\n96.9.125[.]147 2025-07-17 09:00 2025-07-17 16:00\r\n107.191.58[.]76 2025-07-18 14:00 2025-07-18 20:00\r\n104.238.159[.]149 2025-07-19 04:00 2025-07-19 09:00\r\n139.59.11[.]66 2025-07-21 11:00 2025-07-21 16:00\r\n154.223.19[.]106 2025-07-21 13:00 2025-07-22 18:00\r\n103.151.172[.]92 2025-07-21 14:00 2025-07-21 16:00\r\n45.191.66[.]77 2025-07-21 14:00 2025-07-22 07:00\r\n83.136.182[.]237 2025-07-21 14:00 2025-07-21 16:00\r\n162.248.74[.]92 2025-07-21 14:00 2025-07-21 17:00\r\n38.54.106[.]11 2025-07-21 15:00 2025-07-21 15:00\r\n206.166.251[.]228 2025-07-21 16:00 2025-07-22 16:00\r\n45.77.155[.]170 2025-07-21 16:00 2025-07-21 19:00\r\n64.176.50[.]109 2025-07-21 17:00 2025-07-22 17:00\r\n149.28.17[.]188 2025-07-22 03:00 2025-07-22 03:00\r\n173.239.247[.]32 2025-07-22 05:00 2025-07-22 05:00\r\n109.105.193[.]76 2025-07-22 05:00 2025-07-22 16:00\r\n2.56.190[.]139 2025-07-22 06:00 2025-07-22 07:00\r\n141.164.60[.]10 2025-07-22 07:00 2025-07-22 18:00\r\n124.56.42[.]75 2025-07-22 13:00 2025-07-22 18:00\r\nFigure 2 shows the timeline of the attacks coming from the three most active IP addresses.\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 3 of 8\n\nFigure 2. Attacks from the most active IP addresses seen per hour (zero values not shown)\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 4 of 8\n\nConcerningly, Microsoft has reported that several China-aligned threat actors have joined in on the exploitation\r\nattempts. From our side, we detected a backdoor associated with LuckyMouse – a cyberespionage group that\r\ntargets mainly governments, telecommunications companies, and international organizations – on a machine in\r\nVietnam targeted via ToolShell. At this stage, it remains unclear whether the system had been previously\r\ncompromised or if the backdoor was introduced during the current attack.\r\nNevertheless, China-aligned APT groups have certainly seized the opportunity to add the exploit chain to their\r\narsenals: according to our telemetry, the victims of the ToolShell attacks include several high-value government\r\norganizations that have been long-standing targets of these groups.\r\nSince the cat is out of the bag now, we expect many more opportunistic attackers to take advantage of unpatched\r\nsystems. The exploit attempts are ongoing and will surely continue. Therefore, if you are using SharePoint Server,\r\nthe following is recommended (as per guidance from Microsoft):\r\nuse only supported versions,\r\napply the latest security updates,\r\nmake sure that Antimalware Scan Interface is turned on and configured properly, with an appropriate\r\ncybersecurity solution, and\r\nrotate SharePoint Server ASP.NET machine keys.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nF5B60A8EAD96703080E7\r\n3A1F79C3E70FF44DF271\r\nspinstall0.aspx MSIL/Webshell.JS\r\nWebshell deployed via\r\nSharePoint vulnerabilities\r\nNetwork\r\nIP Domain Hosting provider\r\nFirst\r\nseen\r\nDetails\r\n96.9.125[.]147 N/A BL Networks\r\n2025-\r\n07-17\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 5 of 8\n\nIP Domain Hosting provider\r\nFirst\r\nseen\r\nDetails\r\n107.191.58[.]76 N/A The Constant Company, LLC\r\n2025-\r\n07-18\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n104.238.159[.]149 N/A The Constant Company, LLC\r\n2025-\r\n07-19\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n139.59.11[.]66 N/A DigitalOcean, LLC\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n154.223.19[.]106 N/A Kaopu Cloud HK Limited\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n103.151.172[.]92 N/A IKUUU NETWORK LTD\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n45.191.66[.]77 N/A\r\nVIACLIP INTERNET E\r\nTELECOMUNICAÇÕES LTDA\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n83.136.182[.]237 N/A Alina Gatsaniuk\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n162.248.74[.]92 N/A xTom GmbH\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n38.54.106[.]11 N/A Kaopu Cloud HK Limited\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n206.166.251[.]228 N/A BL Networks\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n45.77.155[.]170 N/A Vultr Holdings, LLC\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 6 of 8\n\nIP Domain Hosting provider\r\nFirst\r\nseen\r\nDetails\r\n64.176.50[.]109 N/A The Constant Company, LLC\r\n2025-\r\n07-21\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n149.28.17[.]188 N/A The Constant Company, LLC\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n173.239.247[.]32 N/A GSL Networks Pty LTD\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n109.105.193[.]76 N/A Haruka Network Limited\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n2.56.190[.]139 N/A Alina Gatsaniuk\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n141.164.60[.]10 N/A The Constant Company, LLC\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\n124.56.42[.]75 N/A IP Manager\r\n2025-\r\n07-22\r\nIP address exploiting\r\nSharePoint\r\nvulnerabilities.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nThreat actors exploited CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE‑2025-\r\n53771 to compromise on-premises Microsoft\r\nSharePoint servers.\r\nExecution T1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nThe deployed webshells execute attacker-supplied\r\ncommands via cmd.exe.\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nPersistence T1505.003\r\nServer Software\r\nComponent: Web Shell\r\nThreat actors deployed webshells to compromised\r\nservers.\r\nCollection T1005 Data from Local System\r\nThe deployed webshells allow the attackers to\r\nextract information from the compromised\r\nsystems.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nhttps://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/" ], "report_names": [ "toolshell-an-all-you-can-eat-buffet-for-threat-actors" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434309, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac41b40ccaa293dab11bfab2f1383e852f147efa.pdf", "text": "https://archive.orkl.eu/ac41b40ccaa293dab11bfab2f1383e852f147efa.txt", "img": "https://archive.orkl.eu/ac41b40ccaa293dab11bfab2f1383e852f147efa.jpg" } }