ToolShell

ToolShell is the name used for an exploit chain targeting on-premises Microsoft SharePoint Server, and in some reporting it is also described as being named after a custom remote access trojan/webshell used in the campaign. The activity targets internet-facing on-prem SharePoint Server 2016, 2019, and Subscription Edition systems and enables unauthenticated or authentication-bypass-assisted remote code execution through chained SharePoint vulnerabilities including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Microsoft, CISA, CrowdStrike, Cisco, and other reporting cited in the content associate ToolShell exploitation with China-linked actors Linen Typhoon, Violet Typhoon, and Storm-2603; Storm-2603 is additionally linked to ransomware deployment including WarLock/Warlock, LockBit Black/X2anylock, and related financially motivated follow-on activity.

Observed ToolShell tradecraft includes POST requests to SharePoint ToolPane endpoints such as /_layouts/15/ToolPane.aspx and /_layouts/16/ToolPane.aspx, abuse of the MSOtlPn_DWP parameter and CompressedDataTable payloads, deserialization-based code execution, and deployment of malicious ASPX files including spinstall0.aspx, spinstallb.aspx, spinstallp.aspx, and info3.aspx. Reported payloads and artifacts include Base64-encoded .NET DLLs such as bjcloiyq.dll, osvmhdfl.dll, and jlaneafi.dll. These components were used to extract ASP.NET/SharePoint MachineKey material, gather host and environment information, write additional webshells into SharePoint layouts directories, execute commands via cmd.exe or powershell.exe, and support file upload. Multiple reports state that attackers stole MachineKey values including ValidationKey and DecryptionKey to maintain persistence, evade remediation, and potentially forge authentication or session tokens even after patching.

The campaign affected hundreds of organizations globally, including government, defense, telecommunications, academic, nonprofit, critical infrastructure, and private-sector entities. Reported victims included U.S. federal and state agencies and other governments in Europe and the Middle East. Follow-on activity described in the content includes lateral movement, credential theft, Defender disabling, use of PsExec and Impacket, in-memory payload delivery to evade EDR, and ransomware deployment. High-confidence indicators mentioned in the content include suspicious ToolPane POST requests, follow-on requests to spinstall0.aspx, payloads around 7000-8000+ bytes, the X-TXT-NET response header used to return stolen machine-key data, suspicious strings such as ysoserial and -EncodedCommand, and infrastructure/IPs including 107.191.58.76, 104.238.159.149, 96.9.125.147, 103.186.30.186, 45.77.155.170, 139.144.199.41, 172.174.82.132, 89.46.223.88, update.micfosoft[.]com, dynastyjusticecollective.site, and theinnovationfactory[.]it (145.239.97[.]206).