Threat Research

Inside The ToolShell Campaign

Fortinet
Inside The ToolShell Campaign

Multiple threat actors are exploiting on-premises Microsoft SharePoint servers using a new exploit chain called “ToolShell,” combining patched and zero-day vulnerabilities to achieve remote code execution. Advanced web shells like GhostWebShell and tools like KeySiphon enable attackers to maintain persistence and steal sensitive cryptographic keys, posing a critical risk to affected organizations. #ToolShell #GhostWebShell #KeySiphon #MicrosoftSharePoint #FortiGuardLabs

Keypoints

  • Attackers are exploiting Microsoft SharePoint Enterprise Server 2016, Server 2019, and Server Subscription Edition using a newly identified exploit chain named “ToolShell.”
  • The exploit chain combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution.
  • FortiGuard Labs and CISA have recognized the threat, with CISA adding these CVEs to its Known Exploited Vulnerabilities catalog and FortiGuard releasing an IPS signature.
  • GhostWebShell, a sophisticated ASP.NET web shell, allows attackers to execute system commands remotely while evading detection through advanced techniques such as BuildManager manipulation and fileless operation.
  • KeySiphon collects detailed host reconnaissance information and exposes cryptographic keys by invoking private .NET methods, enabling attackers to forge authentication tokens and manipulate protected data.
  • Fortinet products detect and block these malware variants and recommend rapid patching, layered detection, and continuous monitoring to mitigate risks.
  • Indicators of Compromise include multiple IP addresses and file hashes used in these attacks, which are detected and blocked by FortiGuard Antivirus and IPS signatures.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – GhostWebShell exposes a “?cmd=” parameter allowing arbitrary system commands execution via “cmd.exe /c ” (‘…allowing an attacker to pass arbitrary system commands…’).
  • [T1106] Execution through API – GhostWebShell uses Server.Execute() to run injected pages and render output stealthily (‘…executing the command via Server.Execute() and rendering the output…’).
  • [T1543] Create or Modify System Process – The web shell manipulates BuildManager flags and registers a custom VirtualPathProvider to enable stealthy code injection and execution (‘…temporarily manipulates internal BuildManager flags using reflection…’).
  • [T1057] Process Discovery – KeySiphon gathers system info including logical drives, CPU cores, uptime, and OS details using System.Environment (‘…it fingerprints the host: logical drive count, machine name, system and working directories…’).
  • [T1556] Modify Authentication Process – KeySiphon retrieves application validation and decryption keys via the MachineKeySection.GetApplicationConfig() method to forge tokens and decrypt data (‘…exposing the application’s validation and decryption keys…’).
  • [T1105] Ingress Tool Transfer – The attack uses CURL and PowerShell commands to upload system information to remote servers during reconnaissance (‘…simple CURL and PowerShell commands used to upload IPConfig information to a remote server.’).

Indicators of Compromise

  • [IP Address] Malicious infrastructure used for command and control – 157[.]245[.]126[.]186, 159[.]203[.]88[.]182, and other 11 IPs.
  • [File Hash] Malicious files associated with ToolShell attacks – 10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb67e, e3fff35ef909c556bdf6d9a63f0403718bf09fecf4e03037238176e86cf4e9805, and 2 more hashes.

Read more: https://feeds.fortinet.com/~/922174919/0/fortinet/blog/threat-research~Inside-The-ToolShell-Campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint