The ToolShell Threat Escalates: New 4L4MD4R Ransomware Joins China-Linked APTs in SharePoint Attacks
A large-scale campaign exploiting a chain of vulnerabilities in Microsoft SharePoint continues to escalate—this time with the active involvement of ransomware groups. During an investigation into a series of coordinated attacks, researchers at Palo Alto Networks’ Unit 42 identified the deployment of 4L4MD4R, a ransomware strain derived from the open-source project Mauri870. Its activity has been directly linked to an exploit chain provisionally named ToolShell.
The first recorded infection occurred on July 27, when a malware loader was observed retrieving and executing 4L4MD4R from the domain theinnovationfactory[.]it, associated with IP address 145.239.97[.]206. The intrusion came to light following a failed exploitation attempt that involved PowerShell commands aimed at disabling endpoint security monitoring—an oversight that ultimately revealed the architecture of the attack.
The ransomware itself is a UPX-packed binary written in Go. Upon execution, it decrypts an AES-encrypted payload in memory, allocates space for it, injects the contents, and launches execution in a separate thread. Encryption of local data then begins, resulting in modified file extensions, an inventory of encrypted content, and a ransom note. The demanded ransom is relatively modest—0.005 Bitcoin.
The ToolShell exploit chain, which leverages CVE-2025-49706 and CVE-2025-49704, has drawn attention from multiple China-linked threat actors. According to Microsoft, at least three state-sponsored groups—Linen Typhoon, Violet Typhoon, and Storm-2603—have been involved. These attacks have been observed globally, targeting entities across North America, Europe, and the Middle East. Victims include the U.S. Department of Education, the National Nuclear Security Administration, the Florida Department of Revenue, the Rhode Island General Assembly, and various government systems in Europe.
Initial signs of ToolShell exploitation were identified by the Dutch firm Eye Security, which documented infections across 54 organizations. However, subsequent analysis revealed a far broader impact. According to Eye Security’s CTO, Piet Kerkhofs, at least 400 servers have been compromised, affecting 148 organizations, many of which had been infiltrated for extended periods.
Researchers at Check Point traced the activity back to at least July 7. Targets included government agencies, telecommunications providers, and technology firms throughout Western Europe and North America. Despite Microsoft addressing the known vulnerabilities in its July Patch Tuesday update, the attacks persisted. Two new vulnerabilities—CVE-2025-53770 and CVE-2025-53771—have since been discovered, with attackers successfully exploiting them even on fully patched SharePoint servers.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its catalog of known exploited vulnerabilities, mandating that all federal agencies remediate the flaw within 24 hours of notification.
Taken together, these events illustrate a highly coordinated, strategic operation—combining the efforts of multiple advanced groups, the use of sophisticated multi-stage exploits, deliberate neutralization of security controls, and the integration of ransomware. It reflects a rising tide of hybrid threats, where cybercriminal operations are closely aligned with the strategic interests of nation-states.
