Ransomware Groups Collaborate in Attacks on Microsoft SharePoint Servers for Enhanced SEO Visibility.

Ransomware gangs have recently intensified their attacks targeting a Microsoft SharePoint vulnerability chain, contributing to a broader exploitation campaign that has compromised at least 148 organisations globally. Security researchers at Palo Alto Networks’ Unit 42 identified a new ransomware variant named 4L4MD4R, which is based on open-source Mauri870 code. This ransomware was detected on July 27, following the discovery of a malware loader that downloads and executes the ransomware from the domain theinnovationfactory[.]it (145.239.97[.]206). The loader was uncovered after a failed exploitation attempt, which revealed malicious PowerShell commands intended to disable security monitoring on the affected device. Analysis of the 4L4MD4R payload indicated that it is UPX-packed and written in GoLang. Upon execution, the ransomware decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it. The 4L4MD4R ransomware encrypts files on the compromised system and demands a ransom of 0.005 Bitcoin, generating ransom notes and lists of encrypted files on infected systems.

Microsoft and Google have linked the ToolShell attacks to Chinese threat actors, with Microsoft identifying three state-backed hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Numerous high-profile targets have been compromised in this ongoing campaign, including the U.S. National Nuclear Security Administration, the Department of Education, Florida’s Department of Revenue, the Rhode Island General Assembly, and various government networks in Europe and the Middle East. Microsoft has observed that Linen Typhoon and Violet Typhoon are exploiting these vulnerabilities targeting internet-facing SharePoint servers. Additionally, another China-based threat actor, tracked as Storm-2603, has also been exploiting these vulnerabilities. Investigations into other actors using these exploits are still ongoing. Dutch cybersecurity firm Eye Security first detected ToolShell exploitation targeting CVE-2025-49706 and CVE-2025-49704 in zero-day attacks, initially identifying 54 compromised organisations, including government entities and multinational companies. Check Point Research later revealed signs of exploitation dating back to July 7, affecting government, telecommunications, and technology organisations across North America and Western Europe. Microsoft has since patched the two flaws with the July 2025 Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) for the zero-days exploited to compromise fully patched SharePoint servers. Eye Security Chief Technology Officer Piet Kerkhofs has indicated that the actual scope of the attacks extends far beyond initial estimates, with the firm’s data suggesting a much larger impact.