MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities of osvmhdfl.dll

    Thursday, August 7, 2025 In: Threat Research Print

    Date: 08/07/2025

    Severity: High

    Summary

    Tracks ToolShell exploitation activity targeting SharePoint servers, including updated IOCs linked to CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Observed threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603.

    Indicators of Compromise (IOC) List

    URL/Domain

    c34718cbb4c6.ngrok-free.app/file.ps1

    IP Address

    107.191.58.76

    104.238.159.149

    96.9.125.147

    103.186.30.186

    45.77.155.170

    139.144.199.41

    172.174.82.132

    89.46.223.88

    45.77.155.170  

    154.223.19.106 

    185.197.248.131

    149.40.50.15

    64.176.50.109

    149.28.124.70

    206.166.251.228

    95.179.158.42

    86.48.9.38

    128.199.240.182

    212.125.27.102

    91.132.95.60

    134.199.202.205

    131.226.2.6

    188.130.206.168

    Hash

    92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

    4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030

    b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70

    fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7

    390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e

    66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082

    7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95

    8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

    30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27

    b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93

    User Agents

    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0

    Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "c34718cbb4c6.ngrok-free.app/file.ps1" or siteurl like "c34718cbb4c6.ngrok-free.app/file.ps1" or url like "c34718cbb4c6.ngrok-free.app/file.ps1"

    Detection Query 2 : 

    dstipaddress IN ("139.144.199.41","89.46.223.88","104.238.159.149","185.197.248.131","131.226.2.6","64.176.50.109","149.28.124.70","86.48.9.38","96.9.125.147","91.132.95.60","45.77.155.170","149.40.50.15","107.191.58.76","128.199.240.182","212.125.27.102","188.130.206.168","172.174.82.132","103.186.30.186","45.77.155.170","154.223.19.106","206.166.251.228","95.179.158.42","134.199.202.205") or srcipaddress IN ("139.144.199.41","89.46.223.88","104.238.159.149","185.197.248.131","131.226.2.6","64.176.50.109","149.28.124.70","86.48.9.38","96.9.125.147","91.132.95.60","45.77.155.170","149.40.50.15","107.191.58.76","128.199.240.182","212.125.27.102","188.130.206.168","172.174.82.132","103.186.30.186","45.77.155.170","154.223.19.106","206.166.251.228","95.179.158.42","134.199.202.205")

    Detection Query 3 :

    sha256hash IN ("92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514","b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93","7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95","4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030","b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70","fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7","390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e","66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082","8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2","30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27")

    Detection Query 4 :

    useragent like "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" or useragent like "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0"

    Reference:    

    https://www.cisa.gov/news-events/analysis-reports/ar25-218a


    Tags

    VulnerabilityThreat ActorSharePointExploitCVE-2025Linen TyphoonViolet TyphoonStorm-2603

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.