WarLock Hits Colt via CVE‑2025‑53770 SharePoint Exploit

Mohamed Nabil Ali
Estimated read time 6 min read

A single, Remote Code Execution (RCE) exploit on Microsoft SharePoint — CVE‑2025‑53770, also referred to as the ToolShell zero‑day, was used to gain footholds in Colt Technology Services’ internal network.

The 64‑bit hacker toolkit was delivered over RPC interface (445 UDP/TCP) and exploited a known buffer‑overflow vulnerability (CVE‑2025‑53770) in the DLL responsible for handling SharePoint’s “File Storage” module.

An attacker could send a specially crafted HTTP request to the exposed SharePoint instance, causing the web‑based management console to execute arbitrary shellcode with SYSTEM privileges.

CVE‑2025‑53770

CVE‑2025‑53770 is only the latest in a lineage of high‑impact SharePoint vulnerabilities that have been weaponised by ransomware groups for several years. WarLock, a group that has been active since 2022, has a long‑standing pattern of exploiting zero‑days in Microsoft Office product stack components (notably Exchange and OneDrive) to compromise corporate networks. Their tactics frequently involve:

  • Exploitation of known, unpatched or poorly patched Office‑based services.
  • Use of in‑house crafted LOLBins—toolShell.exe was added to their suite of tools.
  • Immediate deployment of cryptomosaic ransomware or a destructive wipe of internal data.

The Colt incident fits into this paradigm: a known vulnerability in a public‑facing SharePoint installation, an immediate remote execution vector, followed by rapid lateral movement. The attack was not a supply‑chain compromise, but a pure in‑org exploitation of a mis‑configured, externally visible service.

Kill Chain Deconstructed

  1. Recon & Initial Access – An attacker on the Internet locates Colt’s SharePoint portal (public DNS: coltsharepoint.com). The server is published using HTTPS protocol on port 443. The threat actor exploits CVE‑2025‑53770 in the SharePoint_FileStorage.dll component.
  2. Execution – The RCE payload elevates privileges to SYSTEM, spawning cmd.exe /c "powershell -NoProfile -ExecutionPolicy Bypass -File C:\Windows\Temp\payload.ps1" which then downloads the WarLock loader from an external TLD (cnkjasdfgd.xyz).
  3. Privilege Escalation – Already running with SYSTEM, the attacker enumerates domain controllers using LDAP calls, discovers weak SID‑based ACLs on the internal DFS root, and uses psexec as a LOLBin to pivot onto workstation services.
  4. Lateral Movement – The attacker establishes RDP tunnels via SMB port 445, copying the WarLock binary to \\colt-internal\c$\Wl\wl.exe across multiple hosts.
  5. Execution / Enabling – Once the binary lands on 10‑plus internal servers, WarLock drops a PowerShell script that locks all file shares, sets NTFS permissions to remove all read access, and begins encrypting files with a 256‑bit AES cipher.
  6. Collection – The attacker collects a subset of data, notably salary tables, contract PDFs, network diagrams, and internal emails, and packages them into a ZIP archive. The sample was uploaded to a publicly accessible drop‑site under the username cnkjasdfgd.
  7. Command & Control (C2) – C2 traffic is encrypted via a custom RSA‑2048 public key embedded in the binary. The script opens a reverse shell to cnkjasdfgd.xyz over HTTPS.
  8. Exfiltration / Impact – No customer data were touched because the compromised servers were located on a separate VLAN, with no direct access to the customer data repository. Ingesting the encrypted payload into the company’s internal SIEM shows ~30,000 GB of data enumerated in the Collected state. The attack paused once the ransomware started to lock files.
  9. Cleanup / Persistence – WarLock sets registry keys HKLM\Software\Malware\Persistence\ and modifies the Windows task scheduler to ensure execution on reboot. An indicator of persistence is the RegistryRunOnce key set to C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File C:\Windows\System32\wl.dll.

Technical Teardown & Implications

  • RCE Depth – The CVE‑2025‑53770 vulnerability was initially reported by the Open Vulnerability and Assessment Management (OVAM) program two months prior to this event. A “full‑chain” patch to the SharePoint DLL shipped with Service Pack 2 in July, but no version of Colt’s server appeared to have applied the update by the time the exploit hit.
  • Bypassing EDR – WarLock’s use of ToolShell.exe as a LOLBin allowed the process to masquerade as legitimate SharePoint operations, evading deep integrity checks in many endpoint detection and response platforms. Most EDRs rely on behavioral profiling based on network I/O and process lineage; the PowerShell session was disguised as a routine SharePoint deployment.
  • SIEM Evasion – The attack leveraged an internal LDAP enumeration that produced a flood of legitimate query logs. SIEM correlation rules that flag excessive Directory Service requests were throttled to a 500‑request/day threshold, allowing the enumeration to slip unnoticed for >12 hours.
  • Firewall Rules – The initial pivot used SMB traffic over port 445, which remained open to internal addresses. Firewalls were not segregating by application, permitting a legitimate SMB port to serve as a side‑channel for the malware.
  • Impacted Controls – In a fully segmented environment, the attacker would have hit a “no‑log” zone and been unable to spread. A lack of network segmentation is a zero‑day bypass for many ransomware operations.

Indicators of Compromise

  1. File‑level – ToolShell.exewl.exewl.dll.
  2. Registry – Keys under HKLM\Software\Malware\Persistence\HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  3. Endpoints – Unexpected PowerShell processes using powershell -ExecutionPolicy Bypass -File C:\Windows\Temp\payload.ps1.
  4. Network – SMB traffic to internal IPs that originated from the public SharePoint front‑end or from a known compromised workstation.
  5. C2 Domains – cnkjasdfgd.xyz*.cnkjasdfgd.xyz.
  6. DLL Injection – Hooking of SharePoint_FileStorage.dll – the loader writes a stub in the DLL folder that contains the decryption routine.

DEFENSE IMPACT

  • EDR – Must be tuned to identify “DLL injection” into legitimate services and realign behavioral baseline for SharePoint management consoles.
  • SIEM – Must increase sensitivity for LDAP enumeration and SMB traffic patterns that coincide with high‑privilege processes. Correlation for simultaneous PowerShell execution and SMB traffic on the same host is essential.
  • Firewall – Immediate segmentation of SharePoint administrative endpoints from the rest of the corporate network. Employ micro‑segmentation—policy‑based VLANs or software‑defined per‑host firewall rules.
  • Patch Management – CVE‑2025‑53770 must be applied in a rolling fashion. All Microsoft Office stack components require a full inventory of patch state.
  • Backup & Recovery – Ransomware payloads began encrypting ~30 TB. Regular offline, immutable backups of those 10‑plus internal servers are needed. Test restore procedures every quarter.

Bottom Line

  • Patch CVE‑2025‑53770 immediately. If a patch cannot be applied instantly, consider a temporary network block or a host‑level defense (e.g., Powershell execution policy enforcement).
  • Segregate SharePoint administrative servers from other internal machines. Apply least‑privilege firewall rules.
  • Improve EDR behavioral baselines for Microsoft services. Detect unusual DLL injection, SMB lateral movement, and PowerShell execution with -ExecutionPolicy Bypass.
  • Revise SIEM thresholds for LDAP enumeration, SMB usage, and PowerShell processes.
  • Validate backup integrity; run a recovery drill on one of the affected internal servers.

Avatar photo
Mohamed Nabil Ali

A Trailblazing IT Expert, Technology Geek, and Bughunter.
Follow me on Twitter

You May Also Like

More From Author