Campaigns
SharePoint Under Siege 'ToolShell'

SharePoint Under Siege 'ToolShell'

sharepointCVE-2025-53770CVE-2025-53771CVE-2025-49706toolshell
On July 18, 2025, Eye Security identified active, large-scale exploitation of a new remote code execution (RCE) vulnerability chain, publicly known as "ToolShell", targeting on-premise SharePoint servers worldwide. These vulnerabilities have been assigned CVE identifiers CVE-2025-53770 and CVE-2025-53771 by Microsoft, and CVE-2025-53770 is confirmed as a variant of previously disclosed vulnerability CVE-2025-49706

Indicators of Compromise

vpn-checkup.com
cloudlocker-drop.xyz
secureivantiupdate.net

APT Groups3

EMISSARY PANDA

<p><b>Summary of Actor</b>:EMISSARY PANDA, also known as TG-3390 or APT27, is a Chinese cyber espionage group known for targeting foreign embassies, defense contractors, and energy companies. They have been active since at least 2010 and are known for their strategic espionage activities.</p><p><b>General Features</b>:EMISSARY PANDA is known for conducting cyber espionage primarily aligned with Chinese geopolitical interests. They are adept at using custom malware, spear-phishing, and exploiting vulnerabilities to gain initial access and achieve persistence.</p><p><b>Related Other Groups</b>: APT10,APT31,GOTHIC PANDA</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Spear-phishing emails with malicious attachments</li><li>Usage of custom malware such as HyperBro, SysUpdate</li><li>Command and Control traffic via HTTP/HTTPS</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Recently, EMISSARY PANDA has been observed targeting vaccine research organizations and NGOs involved in COVID-19 response. They have also launched campaigns against high-profile entities in the fintech and defense sectors.</li><li><b>Emerging Trends </b>: There is an increasing use of cloud infrastructure for command and control, and a shift towards more sophisticated spear-phishing tactics incorporating COVID-19 themes. They are also beginning to leverage supply chain attacks to increase their reach and impact.</li></ul></p>

Iron TigerGroup 35Earth SmilodonTG-3390LuckyMouseTEMP.HippoBronze UnionZipTokenEmissary PandaLinen TyphoonAPT 27Red PhoenixBudwormIron TaurusCircle TyphoonATK 15G0027
APT31

<p><b>Summary of Actor</b>:APT31, also known as Zirconium, is a Chinese state-sponsored threat actor known for conducting cyber espionage activities targeting various sectors globally. The group has been active since at least 2016 and is known for using sophisticated malware and advanced techniques to achieve its objectives.</p><p><b>General Features</b>:APT31 is characterized by its use of customized malware, spear-phishing campaigns, and exploitation of zero-day vulnerabilities. The group primarily focuses on intelligence gathering and has targeted political, economic, and defense-related entities.</p><p><b>Related Other Groups</b>: APT15,APT10,APT40</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of custom implants</li><li>Spear-phishing with malicious attachments</li><li>Exploitation of zero-day vulnerabilities</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: APT31 has recently been linked to a campaign targeting European government institutions with spear-phishing emails containing malicious attachments designed to deploy custom malware. They have also been observed targeting U.S. political entities in the lead-up to major elections.</li><li><b>Emerging Trends </b>: There has been an increased use of sophisticated and evasive techniques, including the use of legitimate cloud services for command and control. The group has also shown a shift towards targeting supply chains to indirectly compromise high-value targets.</li></ul></p>

BRONZEVINEWOODRedBravoRed KeresJUDGMENTPANDARed keresJUDGMENT PANDAG0128TA412ZirconiumJudgment PandaAPT 31BRONZE VINEWOODAPT31RedkeresZIRCONIUMViolet TyphoonVioletTyphoonBronze Vinewood
APT27

<p><b>Summary of Actor</b>:APT27, also known as Emissary Panda or TG-3390, is a well-known cyber espionage group believed to be associated with the Chinese government. They are known for targeting information related to defense, aerospace, and government sectors.</p><p><b>General Features</b>:APT27 specializes in cyber espionage operations and exhibits sophisticated tactics, techniques, and procedures (TTPs). They frequently use both publicly available tools and custom malware, and they are adept at lateral movement and maintaining persistence within compromised environments.</p><p><b>Related Other Groups</b>: APT10,APT1,APT40</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Unusual PowerShell activity</li><li>Abnormal remote desktop protocol (RDP) usage</li><li>Execution of known APT27 malware like HyperBro</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: In the latest activities, APT27 has been observed targeting defense contractors and government agencies using spear-phishing attacks that exploit vulnerabilities in Microsoft Exchange.</li><li><b>Emerging Trends </b>: Recently, there has been a noticeable shift towards exploiting zero-day vulnerabilities more aggressively and leveraging living-off-the-land tactics to blend in with normal network activity.</li></ul></p>

Iron TigerZipTokenBRONZE UNIONLucky MouseLuckyMouseLinen TyphoonGroup 35Circle TyphoonEmissary PandaTG-3390BudwormEarth SmilodonGreedyTaotieTEMP.HippoAPT 27G0027APT27ATK 15Red PhoenixBronze UnionIron TaurusEMISSARY PANDA

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

These vulnerabilities apply to on-premises SharePoint Servers only. 

SharePoint Online in Microsoft 365 is not impacted. Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 , and CVE-2025-53771

ProductSecurity Update link
Microsoft SharePoint Server Subscription EditionDownload Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center
Microsoft SharePoint Server 2019Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002754) from Official Microsoft Download Center
Microsoft SharePoint Server 2016Not available yet

ProductKB ArticleSecurity UpdateFixed Build Number
Microsoft SharePoint Server 20195002741Security Update16.0.10417.20027
Microsoft SharePoint Enterprise Server 20165002744Security Update16.0.5508.1000


  1. Ensure Antimalware Scan Interface the is turned on and configured correctly

Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, 

Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

If you cannot enable AMSI, Microsoft recommend you consider disconnecting your server from the internet until a security update is available.

  1. Rotate SharePoint Server ASP.NET machine keys

After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.

  1. Manually via PowerShell

To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet

  1. Manually via Central Admin

    Trigger the Machine Key Rotation timer job by performing the following steps:

    1. Navigate to the Central Administration site.
    2. Go to Monitoring -> Review job definition.
    3. Search for Machine Key Rotation Job and select Run Now.

After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.

If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.

  • Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit

  • Use Endpoint Detection and Response (EDR), Intrusion Prevention System (IPS), and Web Application Firewall (WAF) logs to identify, detect, and block exploit patterns and anomalous behaviors associated with this vulnerability.

Observed Countries250

AD (215)
AE (223)
AF (859)
AG (5)
AI (559)
AL (580)
AM (319)
AO (656)
AQ (267)
AR (898)
AS (793)
AT (180)
AU (845)
AW (588)
AX (513)
AZ (991)
BA (500)
BB (227)
BD (317)
BE (218)
BF (101)
BG (22)
BH (852)
BI (4)
BJ (888)
BL (421)
BM (986)
BN (713)
BO (391)
BQ (851)
BR (652)
BS (125)
BT (208)
BV (680)
BW (928)
BY (382)
BZ (354)
CA (30)
CC (249)
CD (4)
CF (334)
CG (742)
CH (647)
CI (207)
CK (798)
CL (99)
CM (362)
CN (259)
CO (574)
CR (283)
CU (28)
CV (956)
CW (466)
CX (718)
CY (864)
CZ (251)
DE (622)
DJ (43)
DK (275)
DM (680)
DO (590)
DZ (270)
EC (64)
EE (556)
EG (943)
EH (769)
ER (965)
ES (788)
ET (76)
FI (992)
FJ (209)
FK (74)
FM (195)
FO (501)
FR (986)
GA (333)
GB (668)
GD (372)
GE (369)
GF (633)
GG (809)
GH (760)
GI (301)
GL (600)
GM (570)
GN (887)
GP (719)
GQ (723)
GR (32)
GS (233)
GT (174)
GU (892)
GW (474)
GY (431)
HK (134)
HM (480)
HN (27)
HR (207)
HT (932)
HU (656)
ID (474)
IE (378)
IL (522)
IM (563)
IN (631)
IO (522)
IQ (110)
IR (374)
IS (286)
IT (153)
JE (127)
JM (356)
JO (312)
JP (814)
KE (491)
KG (906)
KH (941)
KI (149)
KM (400)
KN (334)
KP (376)
KR (306)
KW (384)
KY (878)
KZ (803)
LA (163)
LB (955)
LC (73)
LI (628)
LK (425)
LR (305)
LS (577)
LT (967)
LU (788)
LV (763)
LY (556)
MA (52)
MC (702)
MD (768)
ME (123)
MF (734)
MG (288)
MH (337)
MK (605)
ML (859)
MM (337)
MN (408)
MO (535)
MP (107)
MQ (213)
MR (63)
MS (876)
MT (535)
MU (581)
MV (122)
MW (515)
MX (574)
MY (372)
MZ (81)
NA (620)
NC (878)
NE (894)
NF (913)
NG (118)
NI (194)
NL (110)
NO (435)
NP (333)
NR (449)
NU (942)
NZ (52)
OM (783)
PA (811)
PE (179)
PF (260)
PG (83)
PH (862)
PK (962)
PL (480)
PM (60)
PN (544)
PR (169)
PS (928)
PT (431)
PW (97)
PY (995)
QA (266)
RE (522)
RO (723)
RS (88)
RU (917)
RW (651)
SA (936)
SB (482)
SC (981)
SD (936)
SE (359)
SG (888)
SH (126)
SI (315)
SJ (966)
SK (330)
SL (955)
SM (491)
SN (760)
SO (948)
SR (850)
SS (2)
ST (532)
SV (978)
SX (130)
SY (240)
SZ (922)
TC (166)
TD (466)
TF (723)
TG (244)
TH (326)
TJ (608)
TK (333)
TL (711)
TM (918)
TN (506)
TO (529)
TR (690)
TT (874)
TV (308)
TW (776)
TZ (900)
UA (749)
UG (723)
UM (444)
US (495)
UY (356)
UZ (964)
VA (567)
VC (650)
VE (265)
VG (179)
VI (422)
VN (352)
VU (802)
WF (685)
WS (426)
XK (217)
YE (417)
YT (357)
ZA (293)
ZM (144)
ZW (454)