ToolShell Unleashed: Decoding the SharePoint Attack Chain

    Friday, September 5, 2025 In: Threat Research Print

    Date: 09/05/2025

    Severity: High

    Summary

    A surge in active exploitation is targeting newly revealed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). Known collectively as ToolShell, these flaws affect self-hosted versions of SharePoint Server 2016, 2019, and the Subscription Edition, allowing unauthenticated remote code execution and security bypasses. While SharePoint Online (part of Microsoft 365) is not impacted, self-managed SharePoint instances—particularly in sectors like government, healthcare, education, and enterprise—face significant risk. The threat level increased after proof-of-concept (PoC) exploits were publicly released, quickly followed by real-world attacks.

    Indicators of Compromise (IOC) List

    IP Address : 

    96.9.125.147

    107.191.58.76

    104.238.159.149

    45.77.155.170

    Hash : 

    92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

    27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014

    8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

    b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93

    GET Request : 

    /_layouts/15/success.aspx?__VIEWSTATE=<base64_encoded_malicious HTTP/1.1

    HTTP Referer header : 

    /_layouts/SignOut.aspx

    HTTP POST request : 

    /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx

    /_layouts/16/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx

    Powershell Encoded Command : 

    powershell -EncodedCommand JABiAGEAcwBlADYMABTAHQAcgB.[...redacted….]

    Malicious File Paths : 

    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx

    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

    WebShell Filenames : 

    spinstall0.aspx

    spinstall1.aspx

    SPInstall0.aspx

    ghostfile346.aspx

    ghostfile399.aspx

    ghostfile807.aspx

    ghostfile972.aspx

    ghostfile913.aspx

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("104.238.159.149","107.191.58.76","45.77.155.170","96.9.125.147") or srcipaddress IN ("104.238.159.149","107.191.58.76","45.77.155.170","96.9.125.147")

    Hash : 

    sha256hash IN ("b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93","27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014","8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2","92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514") 

    WebShell Filenames :

    resourcename = "Windows Security" and eventtype = "4663" and objectname In ("spinstall0.aspx","spinstall1.aspx","SPInstall0.aspx","ghostfile346.aspx","ghostfile399.aspx","ghostfile807.aspx","ghostfile972.aspx","ghostfile913.aspx")

    Reference:

    https://www.trellix.com/blogs/research/toolshell-unleashed-decoding-the-sharepoint-attack-chain/


    Tags

    Government Services and FacilitiesHealthcare and Public HealthEducationVulnerabilityCVE-2025SharePointToolShell

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.