Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

SharePoint ToolShell Exploitation

The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)

Start date
1 July 2025
End date
1 July 2025
Techniques
35

Attributed actors

HAFNIUM· primary

Techniques (35)

collection3
T1119Automated Collection
T1074.001Local Data Staging
T1005Data from Local System
command-and-control4
T1572Protocol Tunneling
T1090Proxy
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access2
T1552.001Credentials In Files
T1003.001LSASS Memory
defense-impairment3
T1484.001Group Policy Modification
T1112Modify Registry
T1685Disable or Modify Tools
discovery3
T1082System Information Discovery
T1033System Owner/User Discovery
T1083File and Directory Discovery
execution5
T1059.003Windows Command Shell
T1569.002Service Execution
T1047Windows Management Instrumentation
T1059.001PowerShell
T1053.005Scheduled Task
exfiltration1
T1041Exfiltration Over C2 Channel
impact2
T1486Data Encrypted for Impact
T1657Financial Theft
initial-access1
T1190Exploit Public-Facing Application
lateral-movement1
T1570Lateral Tool Transfer
persistence4
T1112Modify Registry
T1505.003Web Shell
T1053.005Scheduled Task
T1505.004IIS Components
privilege-escalation2
T1484.001Group Policy Modification
T1053.005Scheduled Task
reconnaissance1
T1595.002Vulnerability Scanning
resource-development3
T1588.002Tool
T1585.002Email Accounts
T1583.001Domains
stealth4
T1620Reflective Code Loading
T1140Deobfuscate/Decode Files or Information
T1027.010Command Obfuscation
T1027.002Software Packing

Indicators of compromise

No IOCs linked to this campaign yet.