SharePoint Zero-Day Exploits Hit Hundreds of Organizations as Chinese Hackers Deploy Ransomware

On‑premise Microsoft SharePoint servers are facing a serious security crisis. A new attack campaign, known as ToolShell, is exploiting critical flaws and is already active in the wild. This is a big threat to many organizations around the world.

What is ToolShell?

ToolShell refers to two key vulnerabilities: CVE‑2025‑53770 (remote code execution) and CVE‑2025‑53771 (authentication bypass or spoofing)—that affect SharePoint on‑premises servers (Subscription Edition, 2019, 2016). These flaws let attackers gain access without logging in, write malicious webshells, steal machine keys, and execute code remotely .

This exploit chain builds on older bugs (CVE‑2025‑49704, CVE‑2025‑49706), using a POST request to ToolPane.aspx with a forged “Referer: /_layouts/SignOut.aspx“. That bypasses authentication rules and installs malicious ASPX webshells like spinstall0.aspx, which can extract the server’s MachineKey (ValidationKey and DecryptionKey)

If the machine keys are not rotated, attackers can keep sending malicious __VIEWSTATE payloads that look legitimate—which lets them maintain access even after patching.

Who is behind the attack?

A number of threat actors are exploiting these flaws. Microsoft and Google’s Mandiant identify Chinese-aligned espionage groups like Linen Typhoon, Violet Typhoon, and Storm‑2603 as among the attackers .

Microsoft has confirmed that Storm‑2603 is now deploying Warlock ransomware after exploiting the flaws—marking a shift from espionage to ransomware activation. The group is likely based in China, though exact motives are still unclear.

Scope and scale of the attack

• As of July 18–22, attacks were seen globally—including in the U.S., Germany, Italy, Vietnam, and other countries. The U.S. leads in total attacks (~13 %) .
• Eye Security and Shadowserver report about 100 organizations compromised over a weekend, later rising to around 400 known victims by July 23. These include multiple U.S. federal agencies, government departments, education and healthcare institutions, and critical infrastructure providers.

▼ High-value victims include:

• U.S. agencies like National Nuclear Security Administration, Department of Homeland Security, National Institutes of Health.
• Energy, fintech and government bodies in Germany and the U.S.

How the exploit chain works (kill‑chain breakdown)

Security analysts mapped ToolShell to common phases of a targeted attack:

1. Reconnaissance – Scanning for exposed SharePoint servers.
2. Weaponization – Crafting a POST exploit payload using prior bugs and deserialization.
3. Delivery – Sending the payload via ToolPane.aspx using a forged Referer header.
4. Exploitation – Server deserializes data, triggers RCE, writes webshell.
5. Installation – Webshells like spinstall0.aspx are placed in layout folders.
6. Command & Control – Attackers extract machine keys and maintain access via spoofed VIEWSTATE tokens.
7. Actions on Objectives – Data theft, lateral movement, ransomware deployment

What researchers have found

• ESET traced attacks from July 17 to 22. They saw early blocked attempts (Germany, July 17) and the first executed payload (Italy, July 18). The tracked attacker IP addresses include a diverse set from BL Networks, DigitalOcean, Kaopu Cloud HK and others.
• They report that APT group LuckyMouse appeared in at least one Vietnamese target via backdoor deployment during the same timeframe.
• Researchers at SANS ISC analyzed the payload, reverse‑engineered the base64 chained .NET deserialization sequence. The webshell’s PowerShell code writes spinstall0.aspx which reveals the MachineKey when called—making key rotation absolutely necessary.

Microsoft and Google guidance

Google Threat Intelligence Group (GTIG) and Mandiant consulting warn of widespread active exploitation—and provide detection rules. They advise:

• Patch SharePoint immediately (Microsoft released full fixes on July 22 for supported versions).
• Hunt for indicators: look for suspicious ASPX/JS files (like spinstall0.aspx or ghostfile*.aspx), unusual POST requests to ToolPane.aspx.
• If compromise suspected, rotate ASP.NET MachineKey—even on patched servers.
• Consider proactive key rotation for internet‑exposed servers

Recommendations for Security Teams

1. Patch SharePoint now. Ensure you run fully patched versions of SharePoint Server 2016, 2019, or Subscription Edition (build numbers per Microsoft advisory).
2. Enable AMSI and ensure antivirus is active on servers.
3. Scan server directories for odd .aspx or .js files—especially “spinstall0.aspx”, “ghostfile*.aspx”.
4. Review IIS logs for POST calls to ToolPane.aspx with Referer “/_layouts/SignOut.aspx”.
5. Rotate ASP.NET MachineKey if there’s any sign of compromise—or even as precaution.
6. Isolate vulnerable servers from the internet until patched and secured.
7. Use detection rules (e.g. Google/Mandiant, EDR vendors, Sentinel, CrowdStrike, SentinelOne) to flag attempts and payload execution