{"id":10363,"date":"2025-07-24T09:00:00","date_gmt":"2025-07-24T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/toolshell\/"},"modified":"2026-05-25T09:12:52","modified_gmt":"2026-05-25T08:12:52","slug":"toolshell","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/","title":{"rendered":"Active exploitation of on-premise SharePoint Server vulnerabilities \u201cToolShell\u201d"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Active exploitation of on-premise SharePoint Server  <span class=\"blue-text\">vulnerabilities \u201cToolShell\u201d<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Application Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                24 Juli, 2025                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/&#038;title=Active%20exploitation%20of%20on-premise%20SharePoint%20Server%20vulnerabilities%20\u201cToolShell\u201d\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Active exploitation of on-premise SharePoint Server vulnerabilities \u201cToolShell\u201d&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_d78a9336b04a5ebc29148c205fd7b5d7\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp\" class=\"wp-component-author-card__photo\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp 1080w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-300x300.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-1024x1024.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-150x150.jpg.webp 150w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-768x768.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-447x447.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-700x700.jpg.webp 700w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-146x146.jpg.webp 146w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/>            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Mohammad Kazem Hassan Nejad<\/h3>\n        \n                    <p class=\"wp-component-author-card__meta\">\n                Senior Threat Intelligence Researcher, WithSecure            <\/p>\n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/&#038;title=Active%20exploitation%20of%20on-premise%20SharePoint%20Server%20vulnerabilities%20\u201cToolShell\u201d\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Active exploitation of on-premise SharePoint Server vulnerabilities \u201cToolShell\u201d&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Introduction<\/h2>\n<p>On July 19th 2025, Microsoft reported on a set of vulnerabilities being actively exploited in-the-wild targeting on-premise SharePoint Servers, which were addressed through <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a>, as well as its earlier variants <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49704\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49706\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a>, dubbed as ToolShell. The earliest exploitation patterns WithSecure observed in its telemetry suggests exploitation attempts as early as 7th July 2025.<\/p>\n<p>Successful exploitation of these vulnerabilities can allow a threat actor to achieve remote code execution (RCE) on the SharePoint server without authentication. This allows a threat actor to access victims&#8216; SharePoint content, internal configurations, and system files, deploy a webshell, as well as perform other post-exploitation activities such as network reconnaissance and lateral movement.<\/p>\n<p>It is important to note that the vulnerabilities only affect on-premise instances of SharePoint (called SharePoint Server) and not SharePoint Online.<\/p>\n<p>As these vulnerabilities remain under active exploitation, we highly urge organizations using on-premise Sharepoint Servers to patch, investigate, and remediate as soon as possible using security updates and guidance provided by <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>.<\/p>\n<h2>Timeline<\/h2>\n<p>The earliest possible exploitation attempt we observed in our telemetry occurred on 7th July 2025 11:30:02 UTC. This attempt exhibited the same reported pattern of a POST request to \u201c\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&amp;a=\/ToolPane.aspx \u201c, with referrer set as \u201cReferer: \/_layouts\/SignOut.aspx\u201d. The source IP address linked to this exploitation attempt was 75.83.18[.]243. We observed another attempt on the same SharePoint server on 14th July 2025 09:45:36 UTC, this time with the IP address 185.141.119[.]189.<\/p>\n<p>After these initial attempts, WithSecure started observing an uptick in exploitation attempts (some being successful) since 17th July 2025 across several SharePoint servers, coinciding with other public reports of the exploitation campaign, which is continuing at the time of writing. These attempts have originated from different source IP addresses, including:<\/p>\n<ul>\n<li>96.9.125[.]147<\/li>\n<li>152.59.160[.]117<\/li>\n<li>91.132.95[.]60<\/li>\n<li>64.176.50[.]109<\/li>\n<\/ul>\n<p>Attackers\u2019 tradecraft and post-exploitation activity<\/p>\n<p>Upon successful exploitation \u2013 we have so far observed threat actors either delivering webshells directly for persistence\/post-exploitation activity and\/or stealing ASP.NET MachineKey components. By stealing ASP.NET MachineKey data, the threat actor can forge their own valid, signed __VIEWSTATE payloads which provides the threat actor persistent access to the SharePoint server to execute arbitrary payloads even post-patching or after removal of existing webshells.<\/p>\n<p>Some file names we have observed under the \u201c\/_layouts\/15\/\u201d and \u201c\/_layouts\/16\/\u201d folders that are highly likely used in context of this exploitation campaign by threat actors include:<\/p>\n<ul>\n<li>spinstall<em>.aspx (where <\/em> is a number or letter)<\/li>\n<li>spinstall0.thank_you_defeners_for_rapid_response.aspx<\/li>\n<li>debug_dev.js<\/li>\n<li>info.aspx<\/li>\n<li>info03.aspx<\/li>\n<li>info3.aspx<\/li>\n<li>pinstall.aspx<\/li>\n<li>test.aspx<\/li>\n<\/ul>\n<p>One of the earliest and highly reported webshells deployed post-exploitation is \u201cspinstall0.aspx\u201d (and its derivatives) that would steal and send the server\u2019s MachineKey components to the threat actor.<\/p>\n<p>However, on one successfully compromised server, by examining .NET modules that were reflectively loaded within the IIS worker process we also identified several payloads used by a threat actor including:<\/p>\n<h2>Godzilla payload<\/h2>\n<p>A Godzilla webshell with loader containing hardcoded strings &#8222;3c6e0b8a9c15224a&#8220; and \u201cpass\u201d that have been seen in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/godzilla-fileless-backdoors.html\" target=\"_blank\" rel=\"noopener\">other<\/a> campaigns as well, and its main payload containing <a href=\"https:\/\/unit42.paloaltonetworks.com\/manageengine-godzilla-nglite-kdcsponge\/\" target=\"_blank\" rel=\"noopener\">known<\/a> GodZilla functions such as bigFileUpload, bigFileDownload, getBasicsInfo, and more. Furthermore, we noticed a <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/06\/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys\/\" target=\"_blank\" rel=\"noopener\">report<\/a> that described the deployment of Godzilla webshell by an unattributed threat actor through publicly disclosed ASP.NET machine keys in December 2024. One of the primary goals of the current campaign is to steal ASP.NET machine keys to maintain access to the Sharepoint server even after patching.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/godzilla-loader.png.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/godzilla-functions.png.webp\" alt=\"\" \/><\/figure>\n<h2>\u201cInformation\u201d payload<\/h2>\n<p>Information gathering module that gathers information such as:<\/p>\n<ul>\n<li>current directory<\/li>\n<li>web directory<\/li>\n<li>OS Name and Version<\/li>\n<li>drive info (such as name, disk size and free space)<\/li>\n<li>network interface info (such as IPv4, IPv6 addresses, DNS servers, network adapter, and MAC address)<\/li>\n<li>running process names.<\/li>\n<\/ul>\n<p>The result is AES (CBC) encrypted and encoded in base64, with the key\/IV used for encryption being prepended as the first 32-bytes of the result value. The generated response is then sent in the following format:<\/p>\n<p><input id=\"__VIEWSTATE\" name=\"__VIEWSTATE\" type=\"hidden\" value=\"\/wEPDwUKLTcyODc4[EncodedEncryptedResult]\" \/><\/p>\n<p>This pattern and the hardcoded string \u201c\/wEPDwUKLTcyODc4\u201d were observed in a recent <a href=\"https:\/\/securelist.com\/ghostcontainer\/116953\/\" target=\"_blank\" rel=\"noopener\">report<\/a>, and we identified the same hardcoded string in a CVE-2020-0688 <a href=\"https:\/\/github.com\/Ridter\/cve-2020-0688\/blob\/master\/ExchangeCmdPy.py#L338\" target=\"_blank\" rel=\"noopener\">PoC code<\/a>.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/info-gather.png.webp\" alt=\"\" \/><\/figure>\n<h2>\u201cRemoteExec\u201d payload<\/h2>\n<p>This module can execute commands (received via __SCROLLPOSITION request parameter) through cmd.exe and return its response to the threat actor. This uses similar functions as \u201cInformation\u201d payload to generate its response (i.e. __VIEWSTATE value with \u201c\/wEPDwUKLTcyODc4\u201d hardcoded string), as well as encryption\/decryption (i.e. AES CBC with key\/IV being the first 32 bytes of the request\/response values).<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remotexec-mainfunction.png.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remotexec.png.webp\" alt=\"\" \/><\/figure>\n<h2>AsmLoader \u201cShellcodeLoader\u201d<\/h2>\n<p>This allows the threat actor to launch a shellcode either within the running process (IIS worker) or remote process. Parts of the code snippet and method names highly resemble \u201cloadAsmBin\u201d as described <a href=\"https:\/\/mp.weixin.qq.com\/s?__biz=MzU3ODAyMjg4OQ==&amp;amp;mid=2247496147&amp;amp;idx=1&amp;amp;sn=060e18c75030ec4cda119d06645fc347&amp;amp;chksm=fd790d55ca0e84437a7c4a8731f6de7ae943d2355348b215f8218fdd5dbb0367ed86fe705561&amp;amp;scene=58&amp;amp;subscene=0#rd\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/github.com\/Ridter\/MSSQL_CLR\/blob\/6f1df259cbd7f8790550861f6a72d6d2f4cbe241\/Database\/CLR_module\/Sharploader.cs#L190\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/asmloader.png.webp\" alt=\"\" \/><\/figure>\n<h2>Custom ASP.NET MachineKey stealer<\/h2>\n<p>Steals MachineKey components (ValidationKey, Validation, DecryptionKey, Decryption, Compatibility mode) in a similar way to spinstall0.aspx, however this module also appends machine name and username to its response, as well as a prepended hardcoded string (likely serving as a form of identifier).<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/custom-machinekeystealer.png.webp\" alt=\"\" \/><\/figure>\n<p>Our assumption at the time of writing is that the .NET payloads mentioned above, as well as the aforementioned activity that occurred on the compromised host belong to one intrusion set or threat actor. This is due to the overlap in exhibited activity patterns and time frames in each case.<\/p>\n<h2>Shell recon commands<\/h2>\n<p>In the observed compromise, several recon commands were executed through the established shell, including:<\/p>\n<ul>\n<li>cmd.exe \/c whoami \/all<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;ipconfig&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;net user &lt;REDACTED&gt; \/do&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;quser&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;net localgroup administrators&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;net group &#8222;domain admins&#8220; \/do&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;tasklist \/svc&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;cmd&#8220; \/c &#8222;cd \/d &#8222;c:\/windows\/system32\/inetsrv\/&#8220;&amp;curl google.com&#8220; 2&gt;&amp;1<\/li>\n<li>&#8222;netstat&#8220; -an<\/li>\n<\/ul>\n<h2>Actions on host<\/h2>\n<p>The threat actor then went on to execute <a href=\"https:\/\/github.com\/BeichenDream\/BadPotato\" target=\"_blank\" rel=\"noopener\">BadPotato<\/a> in-memory within the IIS worker process to escalate privileges, then adding a new local administrator user via the following command:<\/p>\n<ul>\n<li>cmd \/c net user &lt;USER-REDACTED&gt; &lt;PASSWORD-REDACTED&gt; \/add &amp;&amp; net localgroup administrators &lt;USER-REDACTED&gt; \/add<\/li>\n<\/ul>\n<p>After which, the threat actor made an RDP connection to the victim device which appeared to originate from the victim device IP address, suggesting that they may have first set up a reverse tunnel to their infrastructure using FRP (as explained in a later section). In this RDP session, the attacker dropped and then executed a binary within the newly created local admin user\u2019s Downloads folder. The binary is named \u201csysdiag-all-x64-6.0.7.2-2025.07.21.1.exe\u201d and is an installer for Huorong security solution. One of the tools bundled in the software is a well-known EDR evasion\/impairment tool, HRSword, which is commonly used by threat actors to kill EDR\/AV security solutions, although we cannot confirm it was used for that purpose in this incident.<\/p>\n<p>There is historic <a href=\"https:\/\/www.rapid7.com\/blog\/post\/2024\/10\/30\/investigating-a-sharepoint-compromise-ir-tales-from-the-field\/\" target=\"_blank\" rel=\"noopener\">reporting<\/a> of an incident involving exploitation of on-premise SharePoint Servers (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-38094\" target=\"_blank\" rel=\"noopener\">CVE-2024-38094<\/a>) for initial access which also involved installing Huorong security solution, and where use of HRSword.exe was observed. The historic report noted that the installed Huorong security solution could impair the function of other installed security tools. Therefore, our assessment for the installation of Huorong security software in this incident is likely to degrade, impair, or evade defense and existing security solutions as well.<\/p>\n<p>The historic report also contained further similarities in terms of TTPs with our incident, including usage of FRP (fast reverse proxy), ADExplorer.exe, and performing staging in the ProgramData folder.<\/p>\n<p>We observed the threat actor launch rundll32.exe and inject into it (with \u201c-c &lt;CONFIGPATH&gt;\u201d argument) via the IIS worker process. The injected shellcode loaded <a href=\"https:\/\/github.com\/fatedier\/frp\" target=\"_blank\" rel=\"noopener\">FRP<\/a> (fast reverse proxy) in-memory. The FRP configuration was stored on disk under C:\\ProgramData with a \u201c.ini\u201d file extension and passed as the command line argument of the injected process. This process injection was highly likely achieved through the AsmLoader \u201cShellcodeLoader\u201d payload described earlier.<\/p>\n<p>The threat actor initiated lateral movement by leveraging the same injected rundll32 process command line, this time injecting an unknown payload that enabled lateral movement via SMB as well as RDP. Through the injected process, the threat actor dropped and launched the same \u201csysdiag-all-x64-6.0.7.2-2025.07.21.1.exe\u201d file under the logged-on user\u2019s Downloads folder via RDP. We also observed the threat actor launch \u201cADExplorer64.exe\u201d and execute \u201ccmdkey -list\u201d command.<\/p>\n<p>The threat actor also moved laterally and executed commands on network adjacent hosts, such as:<\/p>\n<ul>\n<li>&#8222;cmd.exe&#8220; \/C copy \\\\&lt;REDACTED-IP&gt;\\c$\\programdata\\sysdiag-all-x64-6.0.7.2-2025.07.21.1.exe c:\\programdata\\sysdiag-all-x64-6.0.7.2-2025.07.21.1.exe &gt; C:\\programdata\\&lt;REDACTED-GUID&gt;.dat 2&gt;&amp;1<\/li>\n<li>&#8222;cmd.exe&#8220; \/C net user &lt;REDACTED-USER&gt; &lt;REDACTED-PASSWORD&gt; \/add &amp;&amp; net localgroup administrators &lt;REDACTED-USER&gt; \/add &gt; C:\\programdata\\&lt;REDACTED-GUID&gt;.dat 2&gt;&amp;1<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>In this blogpost, we have provided a brief rundown of the exploitation activity observed by WithSecure related to the ToolShell campaign.<\/p>\n<p>As time passes, exploitation adoption by a wider group of threat actors is all but inevitable, therefore we highly urge any organization using on-premise SharePoint Servers to patch, investigate, and remediate as soon as possible.<\/p>\n<p>Some of the tools mentioned in this report, such as FRP and Godzilla webshell, are hallmarks of China-nexus threat actors. This is further emphasized by the set of techniques and payloads mentioned which contained references discussed in Chinese-speaking blogs and forums (linked throughout the report), as well as created by Chinese-speaking authors on GitHub (also linked throughout the report). The usage and implementation of these suggests a Chinese-speaking threat actor is likely to be involved in this activity, however definitive attribution cannot be made at this point based solely on these indicators.<\/p>\n<p>WithSecure\u2122 Elements offers detection and protection across various stages of the attack lifecycle. For instance, WithSecure\u2122 Elements Endpoint Protection already contained detections prior to the exploitation campaign that blocked malicious execution via IIS worker process, namely \u201cExploit:W32\/W3WPLaunch.A!DeepGuard\u201d.<\/p>\n<h2>Acknowledgements<\/h2>\n<p>WithSecure has engaged governments (CERTs, NCSCs), select customers, and industry peers with advanced copies of this report. For instance, Vultr took swift action on one of the IP addresses (64.176.50[.]109) that belonged to them upon reporting and the IP address now only provides historical value in the context of this exploitation campaign between 21-22 July 2025 at the time of writing.<\/p>\n<p>The author of this blogpost would like to thank the rest of his team, namely Stephen Robinson, Markus Tuominen, Jeremy Ong, Timothy West and Neeraj Singh for their contributions in getting this timely report published.<\/p>\n<h2>Indicators of Compromise (IOCs)<\/h2>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;Type<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;Value<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;Description<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;75.83.18[.]243<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>Source address for exploitation attempt, seen on 7th July 2025<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;185.141.119[.]189<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>Source address for exploitation attempt, seen on 14th July 2025<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;96.9.125[.]147<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>Source address for exploitation attempt, seen on\/after 17th July 2025<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;64.176.50[.]109<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>Source address for exploitation attempt, seen between 21-22 July 2025, actioned by provider Vultr upon reporting.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;91.132.95[.]60<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;Source address for exploitation attempt, seen on\/after 17th July 2025<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;152.59.160[.]117<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>Source address for exploitation attempt, seen on\/after 17th July 2025<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;IPv4 address<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;67.223.119[.]63<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>FRP server address<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;SHA256<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>ADExplorer64.exe<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;SHA256<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>&nbsp;467836991bd92e8986df845fd52fc2325d113976f91e316e6ab7fa7347612e08<\/p>\n<\/td>\n<td width=\"200\" valign=\"top\">\n<p>sysdiag-all-x64-6.0.7.2-2025.07.21.1.exe<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/&#038;title=Active%20exploitation%20of%20on-premise%20SharePoint%20Server%20vulnerabilities%20\u201cToolShell\u201d\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Active exploitation of on-premise SharePoint Server vulnerabilities \u201cToolShell\u201d&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>On July 19th 2025, Microsoft reported on a set of vulnerabilities being actively exploited in-the-wild targeting on-premise SharePoint Servers,<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[360,310,312],"labs_content_type":[320],"class_list":["post-10363","lab_item","type-lab_item","status-publish","hentry","category-application-security","category-attack-detection","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Application Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Active exploitation of on-premise SharePoint Server vulnerabilities \u201cToolShell\u201d<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On July 19th 2025, Microsoft reported on a set of vulnerabilities being actively exploited in-the-wild targeting on-premise SharePoint Servers,<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/toolshell\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10363"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}