Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation
Essential information
- Published
- 11/08/2025 15:44
- Modified
- 11/08/2025 16:12
- Tags
- 2025-08-11 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 antsword china chopper requestrepo sharepoint toolshell valleyrat
- Related entities
- 5 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 3 malware, 1 others
Description
Chinese nation-state actors are exploiting vulnerabilities in Microsoft SharePoint on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as 'ToolShell', to perform unauthenticated code execution, extract cryptographic keys, and deploy web shells. The threat actors demonstrate high proficiency in abusing SharePoint's internal mechanisms, using techniques such as authentication bypass, deployment of malicious ASP.NET pages, and exploitation of deserialization flaws. Post-exploitation activities include reconnaissance, credential harvesting, and establishment of command and control channels. The attackers employ tools like China Chopper and AntSword web shells, and abuse legitimate services like RequestRepo for data exfiltration. While definitive attribution remains inconclusive, there are overlaps with previously observed Chinese APT group activities.