Microsoft SharePoint worries increase as ransomware gangs join the party, experts warn

News
By published

Ransomware players want in on ToolShell action

Dark web monitoring
(Image credit: Adobe)
  • Unit 42 saw 4L4MD4R being deployed via ToolShell
  • The crooks are asking for $500 worth of Bitcoin
  • ToolShell is a Microsoft SharePoint Server bug patched in late July

The risk for businesses who haven’t patched the ToolShell vulnerability keeps growing after new reports suggest ransomware actors are also joining the exploitation party.

Researchers from Palo Alto Network’s cybersecurity arm, Unit 42, said they observed a threat actor known as 4L4MD4R using ToolShell to gain access and try to deploy the encryptor.

ToolShell is a nickname for a deserialization of untrusted data vulnerability, recently discovered in on-premises Microsoft SharePoint Server instances. It is tracked as CVE-2025-53770, and was said to allow unauthenticated remote code execution, giving attackers control over unpatched systems simply by sending a crafted request. It was given a severity score of 9.8/10 (critical), and was patched in late July, 2025.

4L4MD4R has joined the chat

Less than two weeks after Microsoft issued an emergency mitigation, security researchers started noticing an uptick in attacks, and victim counts in the hundreds.

"There are many more, because not all attack vectors have left artifacts that we could scan for," Eye Security warned at the time.

Many high-profile organizations fell victim to different cyberattacks thanks to this flaw, including the US National Nuclear Security Administration, the Department of Education, Florida’s Department of Revenue, the Rhode Island General Assembly, and government networks in Europe and the Middle East.

Now, ransomware players are hopping onto the ToolShell bandwagon, as well. According to Unit 42, 4L4MD4R is based on open-source Mauri870 code. It was spotted on July 27, when the researchers were investigating a failed attack.

"Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it," Unit 42 said.

The identity, or possible national affiliation, of the group is unknown at this time. However, the researchers said the hackers were demanding a payment of 0.005 Bitcoin, which translates to roughly $500.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.