A critical threat is actively targeting on-premise Microsoft SharePoint Servers, and at Thauronix, we believe immediate awareness and action are paramount. A series of vulnerabilities, collectively named “ToolShell”, are being exploited by threat actors to achieve unauthenticated remote code execution (RCE).
This isn’t a minor bug; it’s a direct gateway into your network. A successful exploit grants attackers full control over the SharePoint server, enabling them to steal sensitive corporate data, deploy persistent backdoors, and pivot to attack the rest of your internal infrastructure.
This post provides a technical breakdown of the ToolShell attack chain, the post-exploitation playbook we’ve observed, and the critical steps you must take to defend your organization.
The Attack Vector: How ToolShell Works
The core of the ToolShell exploit lies in a set of vulnerabilities (CVE-2025-53770, CVE-2025-53771, and others) that, when combined, allow an attacker to bypass all authentication checks. The attack typically begins with a specially crafted POST request sent to the /_layouts/15/ToolPane.aspx endpoint.
Upon successful exploitation, the threat actor gains the ability to execute code on the server with the privileges of the IIS worker process (w3wp.exe). This is the initial foothold they need to begin their real mission.
The Attacker’s Playbook: From Foothold to Domain Control
Once inside, the attackers follow a sophisticated, multi-stage playbook designed for stealth, persistence, and deep network compromise.
Stage 1: Establishing Persistence
The first priority for the attacker is ensuring their access survives a server reboot or even patching.
- Webshell Deployment: Attackers immediately drop webshells—malicious scripts that provide a persistent backdoor. We’ve observed filenames like
spinstall.aspx,info.aspx, anddebug_dev.jsin compromised directories. - ASP.NET MachineKey Theft: This is the most critical persistence technique. Attackers steal the server’s unique
ValidationKeyandDecryptionKey. With these keys, they can forge their own valid, signed security tokens (__VIEWSTATEpayloads). This allows them to maintain access and execute commands even if the original vulnerability is patched and all webshells are deleted.
Stage 2: Deploying the Arsenal
With persistence secured, the attackers deploy a variety of advanced payloads, often loaded reflectively (in-memory) to avoid detection by traditional antivirus products.
- Godzilla Webshell: A powerful, full-featured webshell that provides a stable command-and-control (C2) channel for file transfers and remote administration.
- Information Gathering Modules: Custom tools are used to enumerate the server’s configuration, including OS version, network interfaces, running processes, and disk information. This data is often AES-encrypted and Base64-encoded before being sent back to the attacker.
- Remote Execution Payloads: These modules allow the attacker to pass commands directly to
cmd.exeand receive the output, giving them an interactive shell on the victim server. - AsmLoader “ShellcodeLoader”: This payload allows the attacker to execute shellcode directly within the IIS worker process or inject it into another process. This is a common technique for running malware like Cobalt Strike beacons or custom reverse proxies in memory.
Stage 3: Reconnaissance and Privilege Escalation
The attackers conduct extensive reconnaissance to map the environment and escalate their privileges. Common commands include:
whoami /allipconfig&netstat -anquser&tasklist /svcnet localgroup administrators&net group "domain admins" /do
After mapping the system, they use privilege escalation tools like BadPotato to gain SYSTEM-level privileges. Their first action is often to create a new local administrator account to solidify their control.
Stage 4: Lateral Movement and Defense Evasion
The ultimate goal is to move beyond the SharePoint server and compromise the entire domain.
- Disabling Security Tools: We have observed attackers installing the Huorong security solution. While a legitimate tool, it is frequently used by threat actors to kill or impair the functionality of existing EDR and AV products on the server.
- Reverse Tunneling: The FRP (Fast Reverse Proxy) tool is injected into a legitimate process like
rundll32.exe. This creates a covert, encrypted tunnel out of the network, allowing the attacker to RDP back into the compromised server and pivot to other internal systems. - Active Directory Recon: Sysinternals’ ADExplorer.exe is used to query and map the Active Directory structure, identifying high-value targets like domain controllers and administrator accounts.
Attribution and Threat Actor Profile
While definitive attribution is difficult, the tactics, techniques, and procedures (TTPs) strongly suggest a Chinese-nexus threat actor. The use of tools like the Godzilla webshell and FRP, combined with code and techniques discussed on Chinese-language hacking forums, points towards a sophisticated, likely state-sponsored group.
Thauronix Recommendations: How to Protect Your Network
Immediate and decisive action is required.
- Patch Immediately: Apply the security updates released by Microsoft for all on-premise SharePoint Servers. This is the first and most critical step.
- Hunt for Indicators of Compromise (IOCs): Use the IOCs listed below to search your logs (web server, firewall, EDR) and file systems for any signs of compromise. Pay close attention to unexpected child processes spawning from
w3wp.exe. - Assume Compromise: If you are running an unpatched, internet-facing on-premise SharePoint server, you should assume it has been compromised. Initiate your incident response plan. Isolate the server, preserve evidence, and perform a full remediation.
- Strengthen Defenses: Implement robust EDR monitoring, enforce network segmentation to prevent lateral movement from your web-facing servers, and review administrator accounts for any unauthorized additions.
- Review MachineKeys: If you have the capability, check the
web.configfile for themachineKeysection. If you suspect a compromise, these keys should be regenerated after the system is fully cleaned and patched.
This campaign is a stark reminder that a single unpatched system can unravel an entire organization’s security. At Thauronix, we provide the threat intelligence and incident response expertise to help you navigate complex threats like ToolShell. Contact us for assistance in securing your environment.