CISA releases malware analysis for Sharepoint Server attack

CISA has published a malware analysis report with compromise indicators and Sigma rules for "ToolShell" attacks targeting specific Microsoft SharePoint Server versions.

"Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as 'ToolShell') to gain unauthorised access to on-premises SharePoint servers," the agency explained in its announcement of the report.

"CISA analysed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data."

The key vulnerability in SharePoint Server, the "critical"-rated CVE-2025-53770 with a CVSS score of 9.8, built upon the earlier "medium" severity CVE-2025-49706 - a flaw Microsoft thought it had patched last month, only to find it under active exploitation as a zero-day targeting some big names.

Linked with other vulnerabilities in an exploit ...