Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation

SUMMARY :

Chinese nation-state actors are exploiting vulnerabilities in Microsoft SharePoint on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as 'ToolShell', to perform unauthenticated code execution, extract cryptographic keys, and deploy web shells. The threat actors demonstrate high proficiency in abusing SharePoint's internal mechanisms, using techniques such as authentication bypass, deployment of malicious ASP.NET pages, and exploitation of deserialization flaws. Post-exploitation activities include reconnaissance, credential harvesting, and establishment of command and control channels. The attackers employ tools like China Chopper and AntSword web shells, and abuse legitimate services like RequestRepo for data exfiltration. While definitive attribution remains inconclusive, there are overlaps with previously observed Chinese APT group activities.

OPENCTI LABELS :

valleyrat,china chopper,sharepoint,antsword,cve-2025-53771,cve-2025-53770,toolshell,cve-2025-49704,cve-2025-49706,requestrepo


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation