SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping

Introduction

As reported by ISMG, nearly 150 different organizations' on-premises SharePoint servers have been exploited by attackers targeting the zero-day vulnerabilities now tracked as ToolShell. Early attacks have been attributed to China-linked groups, in some cases leading to Warlock ransomware infections.

Resecurity observed in-the-wild exploitation activity as early as July 17, 2025 prior to Microsoft's official advisory. The attackers have been chaining this vulnerability with previously patched flaws, CVE-2025-49704 and CVE-2025-49706, both of which were addressed in the July 8 Patch Tuesday release, with public PoC code emerging by July 14.

In addition to the technical exploitation, Microsoft has attributed the attacks to two named Chinese nation-state actors: Linen Typhoon and Violet Typhoon. Additionally, another Chinese threat actor, Storm-2603, has also been linked to active exploitation. These groups have been targeting internet-exposed SharePoint servers, with confirmed compromises affecting a wide range of sectors including government agencies, critical infrastructure, universities, and private enterprises worldwide.

Leak from MAPP?

A security patch Microsoft released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort. Microsoft is probing whether a leak from its Microsoft Active Protections Program (MAPP)—an early warning system for cybersecurity partners—may have enabled Chinese hackers to exploit unpatched vulnerabilities in its SharePoint server software. Microsoft confirmed that it “continually evaluates the efficacy and security of all of our partner programs and makes the necessary improvements as needed.”

The SharePoint vulnerability first came to light in May when Vietnamese security researcher Dinh Ho Anh Khoa demonstrated it at the Pwn2Own cybersecurity conference in Berlin, organized by Trend Micro’s Zero Day Initiative. Khoa was awarded $100,000, and Microsoft issued an initial patch in July. However, Dustin Childs, head of threat awareness at Trend Micro, said that MAPP partners had been informed of the vulnerability across three waves - June 24, July 3, and July 7. Coincidentally, Microsoft noted the first exploit attempts began on July 7.

Childs suggested the most likely scenario is that “someone in the MAPP program used that information to create the exploits.” While he didn’t name any vendor, he noted the exploit attempts originated mostly from China, making it “reasonable to speculate” the leak came from a company in that region.

The MAPP program, which debuted in 2008, was intended to provide security vendors with advance notice of the technical details of vulnerabilities — and, on occasion, sample proof-of-concept code — so they could better protect their customers. A leaked breach now would fly directly in the face of the program’s mission—empowering defenders, not attackers. Microsoft has not disclosed whether it has identified the source of the leak, but emphasized that any NDA breach would be taken seriously.

Source of Active Exploitation

While the industry was focused on understanding the anatomy of the attack, Resecurity's HUNTER team was investigating the network infrastructure associated with actors exploiting it at a very early stage, leveraging the network passive sensors to collect relevant telemetry to reproduce the origin of this malicious activity. Why is this important? First of all, the notable detail is that the actors successfully abused cloud infrastructure of multiple providers located in different countries—including, but not limited to, the US, Brazil, Germany, India, Hong Kong, Romania, the Netherlands, Taiwan, Japan, Vietnam, and South Korea.

July 17, 2025 - the IP 96.9.125[.]147 was detected as one of the hosts generating exploitation attempts. It is not clear whether this activity could be related to a threat actor or possible security researchers. The situation became clearer when the exploitation shifted to a large-scale operation, involving IP addresses from other regions.

This initial wave involved PowerShell-based payload delivery has been registered by Resecurity around July 18, 2025 (14:54–18:44 GMT) originating from 107.191.58[.]76. The key differentiator what makes this activity different from previous - dropping an actual malicious code, ASP-based web-shell designed for Windows environment. A base64-encoded blob was decoded and written to the SharePoint LAYOUTS directory:

$base64String = [REDACTED]
$destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop

The resulting file, spinstall0.aspx, is not a traditional command webshell but rather a reconnaissance and persistence utility:

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>

This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings—information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.

What is interesting about this IP?

By the “Constant Company LLC” our investigators interpret the following provider providing cloud infrastructure and GPU for rent:

https://www.constant.com

Constant Company LLC is a parent company of Vultr, which specializes in providing cloud infrastructure services. The company operates and manages Vultr, offering cloud computing, bare metal, and virtual server solutions to developers and businesses worldwide.

Notably, there was identified another cluster of IP addresses involved in active exploitation originating from the same provider few days later - July 21 and July 22. Likely, Chinese threat actors were abusing their cloud infrastructure to blur the origin of the attack.

107.191.58[.]76
The Constant Company, LLC
2025-07-18
IP address exploiting SharePoint vulnerabilities.

64.176.50[.]109
The Constant Company, LLC
2025-07-21
IP address exploiting SharePoint vulnerabilities.

149.28.17[.]188
The Constant Company, LLC
2025-07-22
IP address exploiting SharePoint vulnerabilities.

Roughly 12 hours later, July 19, 2025 (03:06–07:59 GMT), a second wave used nearly identical logic to deliver the same spinstall0.aspx payload originating from 104.238.159[.]149. The key difference was in the PowerShell staging script:

$b = [REDACTED]
$c = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx"
$d = [System.Convert]::FromBase64String($b)
$e = [System.Text.Encoding]::UTF8.GetString($d)
$e | Set-Content -Path $c -ErrorAction Stop
Start-Sleep -s 3

While the encoded payload was marginally different in form, it decoded to the same spinstall0.aspx shell. The change in target directory, from 16\TEMPLATE to 15\TEMPLATE, may reflect testing across different SharePoint versions or environments. Unlike more interactive webshells observed in this campaign, spinstall0.aspx does not support command execution or file upload. Instead, its singular purpose appears to be information gathering, specifically targeting cryptographic secrets that could be reused to forge authentication or session tokens across SharePoint instances. Given the uniqueness and strategic value of the MachineKey data harvested by this shell, we assess this cluster to be part of a broader effort to establish durable access into high-value SharePoint deployments.

The exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428).

Notably, 96.9.125[.]147 was also mapped to a domain name "dynastyjusticecollective.site" registered around the same time the exploitation activity started, July 18:

WHOIS:

Domain Name: DYNASTYJUSTICECOLLECTIVE.SITE
Registry Domain ID: D570923706-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: <a href="https://namecheap.com" rel="nofollow">https://namecheap.com</a>
Updated Date: 2025-07-18T06:55:55.0Z
Creation Date: 2025-07-18T06:55:51.0Z
Registry Expiry Date: 2026-07-18T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverTransferProhibited <a href="https://icann.org/epp#serverTransferProhibited" rel="nofollow">https://icann.org/epp#serverTransferProhibited</a>
Domain Status: clientTransferProhibited <a href="https://icann.org/epp#clientTransferProhibited" rel="nofollow">https://icann.org/epp#clientTransferProhibited</a>
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545

After that, threat actors moved to a new group of IP addresses:

83.136.182[.]237
Alina Gatsaniuk
2025-07-21
IP address exploiting SharePoint vulnerabilities.

2.56.190[.]139
Alina Gatsaniuk
2025-07-22
IP address exploiting SharePoint vulnerabilities.

Deeper research may show that the network host is associated with the UK-based connectivity, cloud hosting and dedicated servers provider Cloudvider. According to open sources, the name Alina Gatsaniuk was previously associated with NordVPN and its related infrastructure. It is possible that the actors could have leveraged VPN services during active exploitation or rented servers through various third-party providers.

The identified IP is associated with one of such third-party providers with a relatively low-key profile, called Packethub, registered in Panama:

inetnum: 2.56.190.0 - 2.56.190.255
netname: PACKETHUB-20210602-DAL
descr: PACKETHUB-20210602-DAL
country: US
admin-c: AG25975-RIPE
tech-c: AG25975-RIPE
status: ASSIGNED PA
org: ORG-PS433-RIPE
mnt-by: CLOUVIDER-MNT
mnt-lower: CLOUVIDER-MNT
mnt-domains: CLOUVIDER-MNT
mnt-routes: CLOUVIDER-MNT
created: 2021-06-02T07:56:21Z
last-modified: 2021-10-28T10:52:58Z
source: RIPE

organisation: ORG-PS433-RIPE
org-name: Packethub S.A.
descr: Packethub S.A.
org-type: OTHER
address: Packethub S.A., Office 76, Plaza 2000, 50 Street and Marbella, Bella Vista, Panama City, 0823, Republic of Panama
abuse-c: PSAD2-RIPE
mnt-ref: CLOUVIDER-MNT
mnt-by: CLOUVIDER-MNT
created: 2021-10-28T10:46:09Z
last-modified: 2021-10-28T10:46:09Z
source: RIPE # Filtered

person: Alina Gatsaniuk
address: Packethub S.A., Office 76, Plaza 2000, 50 Street and Marbella, Bella Vista, Panama City, 0823, Republic of Panama
phone: +5078336503
nic-hdl: AG25975-RIPE
mnt-by: CLOUVIDER-MNT
created: 2021-10-28T10:49:40Z
last-modified: 2021-10-28T10:49:40Z
source: RIPE # Filtered

% Information related to '2.56.190.0/24AS62240'

route: 2.56.190.0/24
descr: Clouvider Limited
descr: DDOS mitigation route
origin: AS62240
mnt-by: CLOUVIDER-MNT
created: 2019-03-15T14:38:18Z
last-modified: 2019-03-15T14:38:18Z
source: RIPE

It is possible NordVPN utilizes PacketHub's infrastructure, including their IP addresses, for some of its servers. This means that when you connect to certain NordVPN servers, your traffic might appear to be coming from PacketHub. Multiple network intelligence and IP reputation databases flag PacketHub's IP addresses as associated with NordVPN. Resecurity does not interpret NordVPN or Packethub as being involved in malicious cyber activity, but indicates that their infrastructure or services were likely abused by attackers.

Another popular cloud provider - DigitalOcean - has been abused during active exploitation. This IP had previously several domain names mapped to it, primarily associated with Indian businesses and personas. It is possible that threat actors abused it, compromised the host, or registered their own VPS to conduct scanning.

139.59.11[.]66
2025-07-21
IP address exploiting SharePoint vulnerabilities

45.191.66[.]77
2025-07-21
IP address exploiting SharePoint vulnerabilities

45.191.66[.]77 - viaclip.com.br is associated with VIACLIP INTERNET E TELECOMUNICAÇÕES LTDA, a Brazilian company that operates as an internet service provider (ISP) and telecommunications business. The company manages a small BGP (Border Gateway Protocol) network and provides internet and telecom services in Brazil.

Other scanning IP addresses, including hosts from Europe and even Asia-Pacific, allowed bad actors to obscure the origin of the attack. Such tactics are expected when Chinese actors abuse the telecommunication infrastructure of other countries and conduct malicious cyber activities from third parties.

Due to the specifics of cloud services, the geographical resolution of this activity may be fuzzy, as different providers registered in one jurisdiction may have multiple rented or leased networks in other locations, which can lead to misinterpretation of the sources of attacks.

For example, some of the identified hosts used by attackers appeared to originate from Japan, but in fact, they were tied to a US-based cloud service provider.

64.176.50[.]109
2025-07-21
IP address exploiting SharePoint vulnerabilities

149.28.17[.]188
2025-07-22
IP address exploiting SharePoint vulnerabilities

162.248.74[.]92
2025-07-21
IP address exploiting SharePoint vulnerabilities

It is possible that Chinese actors aimed to leverage infrastructure that would not indicate that the exploitation is originating from China. That is why they were using several cloud providers outside of China with a global footprint.

38.54.106[.]11
2025-07-21
IP address exploiting SharePoint vulnerabilities

206.166.251[.]228
2025-07-21
IP address exploiting SharePoint vulnerabilities

The web-site of this operator states: "BL Networks provides IP addresses and related services to internet companies. BL Networks may not necessarily be the direct operator of any equipment and/or service currently or historically using a given IP address".

45.77.155[.]170
2025-07-21
IP address exploiting SharePoint vulnerabilities

173.239.247.32
2025-07-22
IP address exploiting SharePoint vulnerabilities

173.239.247[.]32 - In fact, the IP is tied to LogicWeb Inc., operating out of the US. The AS network associated with it is related to Australia-based AS137409 GSL Networks Pty Ltd, also known as Global Secure Layer (GSL), which specializes in IP transit services and offers DDoS protection. According to available network intelligence and IP reputation data, the IP may be associated with a CyberGhost VPN server, which could be used by cybercriminals for anonymization. It is common for VPN services to rent cloud and dedicated servers from third parties; in this case, this may lead to a mistaken assumption that the attack is somehow connected to Vietnam due to fuzzy geographical resolution.

109.105.193[.]76
2025-07-22
IP address exploiting SharePoint vulnerabilities

109.105.193[.]76 - another good example of fuzzy resolution is that the IP address information indicates the host could be managed by a company based in Bosnia (Team Consulting d.o.o. Sarajevo).

In fact, this IP block is tied to Haruka Hosting Ltd, associated with Cenuta Dedicated Servers IP subnets (109.105.193.0/24). According to Resecurity, "Haruka Hosting Ltd" is identified as a little-known cloud provider with a legal entity in the UK registered under the name GAO, Lingyu (Chinese national).

https://haruka.cloud

124.56.42[.]75
2025-07-22
IP address exploiting SharePoint vulnerabilities

124.56.42[.]75 - the host is tied to "Xpeed" in South Korea, an internet service offered by LG POWERCOMM, a South Korean company. Specifically, LG POWERCOMM enhanced its "Xpeed Optic LAN" service, upgrading internet lines in apartment complexes from 100 Mbps to 1 Gbps.

141.164.60[.]10
2025-07-22
IP address exploiting SharePoint vulnerabilities

Resecurity analyzed the exploitation activity over time and mapped it based on the sources involved, considering geography and ISPs. This analysis reveals certain patterns, with a dominance of abused cloud service providers:

Abuse of Telecommunication Providers and Cloud Services

There is substantial evidence that Chinese cyber threat actors, including both state-sponsored groups and cybercriminals, have actively targeted and abused US-based and foreign telecommunication providers. One of the most prominent examples is the group known as Salt Typhoon (also referred to as RedMike), which has been implicated in a series of sophisticated cyberattacks against US telecom infrastructure.

Salt Typhoon’s Campaigns: Salt Typhoon has exploited vulnerabilities in Cisco edge devices (notably CVE-2023-20198 and CVE-2023-20273) to gain unauthorized access to telecom networks. These attacks have affected at least eight US telecom firms, allowing the hackers to access private communications, including texts and phone conversations of senior US government officials and political figures. The breaches have been described as some of the most egregious national security breaches by a nation-state hacking group in US history.

Exploitation of Lawful Intercept Systems: Salt Typhoon has also managed to access lawful intercept systems used by US internet service providers, which are designed to accommodate law enforcement requests. This access enabled the group to intercept private communications, further raising national security concerns.

Broader Campaigns: Chinese state-sponsored groups have a history of targeting managed service providers (MSPs) and telecommunications service providers (TSPs) to gain access to sensitive information, as seen in campaigns like Operation Cloud Hopper.

In the exploitation campaign collectively referred to as "ToolShell" (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771), Chinese actors were also actively leveraging foreign telecommunication infrastructure through the abuse and misuse of cloud services, resellers of virtual and dedicated servers, and hosting providers. The industry should accelerate the implementation of enhanced KYC procedures to detect suspicious customers who may be linked to nation-state actors originating from China.

Exploitation Patterns Observed

Payload sizes typically 7000-8000+ bytes
URL-encoded compressed data in CompressedDataTable parameter
Specific User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Content-Type: application/x-www-form-urlencoded
Connection: close header often present
Base64-encoded serialized .NET objects in payload
Response contains machine keys in pipe-delimited format
Secondary requests to deployed spinstall0.aspx files

SharePoint ULS Logs

Monitor SharePoint Unified Logging Service (ULS) logs for:

Category: SharePoint Foundation Web Controls
Level: Unexpected, Error, Critical
Keywords: "ToolPane", "ExcelDataSet", "Deserialization"
Process: w3wp.exe

Key indicators in ULS logs:

Unexpected exceptions in ToolPane.aspx processing
Deserialization errors in Microsoft.PerformancePoint components
Memory corruption or process crashes in w3wp.exe

IIS Access Logs

Monitor IIS logs for exploitation patterns:

# Log analysis queries (replace with your SIEM syntax)
cs-method="POST" AND cs-uri-stem="/_layouts/15/ToolPane.aspx"
cs-method="POST" AND cs-uri-query="DisplayMode=Edit&a=/ToolPane.aspx"
cs-bytes > 7000 (typical exploit payload size)
cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
cs(Referer)="/_layouts/SignOut.aspx"
sc-status=200 AND time-taken > 5000 (slow processing indicating deserialization)

Specific IOCs from real attacks:

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
Content-Length: 7699
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Referer: /_layouts/SignOut.aspx
Body contains: MSOTlPn_Uri=http%3A%2F%2F[domain]%2F_controltemplates%2F15%2FAclEditor.ascx
Body contains: CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQ

Network Traffic Analysis

Monitor network traffic for:

Unusual POST request sizes to SharePoint servers
Repeated requests to ToolPane.aspx from single sources
Base64 encoded payloads in HTTP POST bodies
Non-browser User-Agent strings targeting SharePoint

Windows Event Logs

Monitor Windows Event Logs on SharePoint servers:

Event Log: Application
Source: ASP.NET, SharePoint Foundation
Event IDs: 1309, 1310 (application errors)
Event Log: System
Source: Application Error
Process: w3wp.exe crashes

SIEM Detection Rules

Splunk Detection Query:

index=iis source="*iis*"
| search cs_method="POST" cs_uri_stem="/_layouts/15/ToolPane.aspx" cs_uri_query="DisplayMode=Edit&a=/ToolPane.aspx"
| eval payload_size=tonumber(cs_bytes)
| where payload_size > 7000
| search cs_User_Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
| stats count by src_ip, cs_uri_stem, payload_size
| sort -payload_size

Enhanced Detection for Real Attacks

index=iis
| search cs_method="POST" AND cs_uri_stem="/_layouts/15/ToolPane.aspx"
| where cs_bytes > 7000 AND cs_bytes < 10000
| search cs_Referer="/_layouts/SignOut.aspx"
| eval attack_pattern=if(like(cs_User_Agent, "%Windows NT 10.0; Win64; x64; rv:120.0%"), "CVE-2025-53770", "Other")
| where attack_pattern="CVE-2025-53770"
| table _time, src_ip, cs_uri_query, cs_bytes, sc_status

Elastic/Kibana Query

{
  "query": {
    "bool": {
      "must": [
        {"term": {"http.request.method": "POST"}},
        {"term": {"url.path": "/_layouts/15/ToolPane.aspx"}},
        {"term": {"url.query": "DisplayMode=Edit&a=/ToolPane.aspx"}},
        {"range": {"http.request.bytes": {"gte": 7000, "lte": 10000}}},
        {"term": {"user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"}},
        {"term": {"http.request.referrer": "/_layouts/SignOut.aspx"}}
      ]
    }
  }
}

Sigma Rule for CVE-2025-53770

title: CVE-2025-53770 SharePoint ExcelDataSet Exploitation
id: cve-2025-53770-sharepoint-exploit
description: Detects exploitation attempts of CVE-2025-53770 SharePoint deserialization vulnerability
references:
    - <a href="https://github.com/your-repo/CVE-2025-53770-Scanner" rel="nofollow">https://github.com/your-repo/CVE-2025-53770-Scanner</a>
author: Security Team
date: 2025/07/21
logsource:
    category: webserver
    product: iis
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem: '/_layouts/15/ToolPane.aspx'
        cs-uri-query: 'DisplayMode=Edit&a=/ToolPane.aspx'
        cs-bytes:
            - gte: 7000
            - lte: 10000
        cs-User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0'
        cs-Referer: '/_layouts/SignOut.aspx'
    condition: selection
falsepositives:
    - Legitimate SharePoint administrative activities
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.53770

References

- SharePoint Zero-Days Exploited to Unleash Warlock Ransomware
https://www.databreachtoday.com/sharepoint-zero-days-exploited-to-unleash-warlock-ransomware-a-29073...

- Disrupting active exploitation of on-premises SharePoint vulnerabilities
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premis...

- UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities
https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-s...

Disclaimer

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.