Inside The ToolShell Campaign

    Thursday, July 31, 2025 In: Threat Research Print

    Date: 07/31/2025

    Severity: High

    Summary

    We are currently monitoring several threat actors actively targeting on-premises Microsoft SharePoint servers. These attacks utilize a newly uncovered exploit chain referred to as "ToolShell." The attackers are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two newly discovered zero-day variants (CVE-2025-53770 and CVE-2025-53771) to enable remote code execution. While the known attack involving “spinstall0.aspx” remains a reference point, in-the-wild exploitation is rapidly increasing. This blog post explores real-world incidents stemming from this ongoing wave of intrusions.

    Indicators of Compromise (IOC) List

    IP Address : 

    157.245.126.186

    159.203.88.182

    146.190.224.250

    203.160.80.77

    203.160.86.111

    205.198.84.197

    159.89.10.213

    165.232.162.99

    185.169.0.111

    146.70.41.178

    165.154.196.91

    Hash : 

    10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb6

7e3fff35ef909c556bdf6d9a63f0403718bf09fecf4e03037238176e86cf4e98

0548fad567c22ccf19031671f7ec1f53b735abf93dc11245bc9ea4dfd463fe40

3adbebbc2093615bb9210bfdb8ebb0841c62426bee8820f86ff0a64d15206041

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address :

    dstipaddress IN ("146.70.41.178","185.169.0.111","157.245.126.186","203.160.86.111","165.154.196.91","146.190.224.250","203.160.80.77","159.89.10.213","165.232.162.99","205.198.84.197","159.203.88.182") or srcipaddress IN ("146.70.41.178","185.169.0.111","157.245.126.186","203.160.86.111","165.154.196.91","146.190.224.250","203.160.80.77","159.89.10.213","165.232.162.99","205.198.84.197","159.203.88.182")

    Hash :

    sha256hash IN ("10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb6","7e3fff35ef909c556bdf6d9a63f0403718bf09fecf4e03037238176e86cf4e98","0548fad567c22ccf19031671f7ec1f53b735abf93dc11245bc9ea4dfd463fe40","3adbebbc2093615bb9210bfdb8ebb0841c62426bee8820f86ff0a64d15206041")

    Reference:    

    https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign 


    Tags

    SharePointExploitToolShellThreat ActorVulnerabilityCVE-2025

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.