SharePoint (On-Premises Only) ToolShell Exploit

Latest Posts
Threats
Vulnerabilities

SharePoint (On-Premises Only) ToolShell Exploit

by Mike Puglia

4 min read

*Updated July 31, 2025 with additional Details and IOCs

A series of new and previously patched vulnerabilities, discovered by Eye Security, have been widely exploited in Microsoft’s SharePoint On-Premises Server software (cloud SharePoint instances are not impacted).  Dubbed “ToolShell”, threat actors can exploit the vulnerability to execute code remotely over the network – essentially giving them access and complete control over the server.

Detection

Both RocketCyber and Datto EDR have detection rules to alert based on activity related to this exploit and are actively hunting for indicators of compromise.

Recommendations

Microsoft recommends customers apply the released patches, enable AMSI in full mode, rotate ASP.Net machine keys and restarting IIS (Click Here for Microsoft Guidance).

However, these attacks were being conducted prior to the disclosure and patches.  Given the rapidly evolving campaigns by threat actors, you should assume any SharePoint On-Premises servers that were internet facing were compromised and organizations should re-image/re-install the SharePoint Application.

*Note: Applying the patch or re-imaging may impact your ability to recover forensic data for analysis at a later time, it is recommended to do a full snapshot/backup of the machine prior to taking these steps.

Details

ToolShell is a PowerShell-based web shell purpose built for SharePoint.  It leverages .NET, APIs and PowerShell techniques to evade detection and gives attackers command and control, abilities to move laterally within the network, credential dumping and executing remote powershell commands.  Additionally, modifications to scheduled tasks, SharePoint Timer and the registry have been used to enhance persistence.

Initial compromises used file-based webshells (i.e. spinstall0.aspx), however, in-memory ToolShell payloads have now been seen in the wild which does not require writing a file to disk, making compromises stealthier and harder to detect (another reason to assume compromise as mentioned in the “Recommendations” section above).

APT & Ransomware Groups

The following threat actors have been observed actively exploiting these vulnerabilities, although it should be assumed that any threat actor may not be taking action as exploits are widely available:

APT 27 Emissary Panda

APT31 ZirConium

Bluesky

Storm-2603

Linen Typhoon

Violet Typhoon

Indicators of Compromise (IOCs)

Domains:

vpn-checkup[.]com

cloudlocker-drop[.]xyz           

secureivantiupdate[.]net     

msupdate[.]updatemicfosoft[.]com

IP Addresses:

139.59.11.66

103.151.172.92

34.72.225.196

141.164.60.10

188.130.206.168

131.226.2.6

206.166.251.228

64.176.50.109

34.121.207.116

134.199.202.205

45.191.66.77

146.70.165.94

83.136.182.237

45.87.213.227

45.141.56.114

182.2.79.164

89.46.223.88

139.144.199.41

154.223.19.106

45.77.155.170

95.179.158.42

149.40.50.15

185.197.248.131

172.174.82.132

162.158.94.72

162.158.14.149

162.158.19.169

162.158.94.121

18.143.202.126

108.162.221.103

162.158.90.110

128.49.100.57

45.40.52.75

18.143.202.204

18.143.202.156

18.143.202.185

154.47.29.4

162.158.14.86

103.186.30.186

185.172.110.45

45.88.12.201

104.238.159.149

198.251.90.122

107.191.58.76

96.9.125.147

Hashes:

309557948f4c2eb38fae45b4956f711a6ad6ac242a6c26efc0e59aee74d7896b

8d3d3f3a17d233bc66a1ee038cc36c72d83c5d3512f240d0894a52e5b2086f85

3461da3a2ddc6208ec573f232dd5ea964098bd9d12ef84852d95c06b70e4f2cb

8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27

3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997

fd03d881f0b3069f5adec6ae69181899e72fd27b3e75bb9075d0798ed3184274

7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95

66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082

390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e

b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70

f5b60a8ead96703080e73a1f79c3e70ff44df271

fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7

4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030

76746b48a78a3828b64924f4aedca2e4c49b6735

fe3a3042890c1f11361368aeb2cc12647a6fdae1

92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

d3f6a97c3b3c60baf7ff5d47e1e6cd0c6fc9e5c9b6f1e1f76e6d1f81f401cb8a

0a21f7b3f1d09de7cf4a15b3ed4a16aaf42ab72d0ac379dfb3a95f78d34e5f03

Mike Puglia

General Manager, Security Products

Mike Puglia brings over 25 years of technology, strategy, and cybersecurity experience to his role as Kaseya’s General Manager of Security Products. He is responsible for all products across Kaseya’s portfolio of security solutions.

Prior to joining Kaseya, Mike led the technical program management integration of real-time collaboration technologies into Salesforce’s Chatter Social Enterprise platform. Earlier in his career, Mike served in technical and product roles at applications security company Veracode, database security company Lumigent Technologies and network security Bluesocket.

Mike holds a Bachelor of Science in Electrical Engineering from the University of New Hampshire and an MBA from the Carroll Graduate School of Management at Boston College.