216.73.217.80

Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation

· Published 11/08/2025 15:44 · Modified 11/08/2025 16:12

Export JSON

Essential information

Published
11/08/2025 15:44
Modified
11/08/2025 16:12
Tags
2025-08-11 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 antsword china chopper requestrepo sharepoint toolshell valleyrat
Related entities
5 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 3 malware, 1 others

Description

Chinese nation-state actors are exploiting vulnerabilities in Microsoft on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as '', to perform unauthenticated code execution, extract cryptographic keys, and deploy web shells. The threat actors demonstrate high proficiency in abusing 's internal mechanisms, using techniques such as authentication bypass, deployment of malicious ASP.NET pages, and exploitation of deserialization flaws. Post-exploitation activities include reconnaissance, credential harvesting, and establishment of command and control channels. The attackers employ tools like and web shells, and abuse legitimate services like for data exfiltration. While definitive attribution remains inconclusive, there are overlaps with previously observed Chinese APT group activities.

External references