#ToolShell — Search

No JavaScript? That's cool, but you'll need to disable Turbo mode as it uses JavaScript in the client.

SOCRadar® @socradar · Dec 25, 2025

🚨 The top #CVEs of #2025 weren’t just severe - they were exploited fast. From #React2Shell to #ToolShell & #CitrixBleed2, attackers weaponized flaws before many orgs could #patch. 📊 socradar.io/blog/top-10-cv…

Top 10 CVEs of 2025: High-Impact Vulnerabilities & Exploitation Trends

This list highlights top 10 CVEs of 2025, not as a ranking, but as a curated snapshot of the vulnerabilities that dominated headlines and...

From socradar.io

164

Yaniv Radunsky @hasamba · Dec 7, 2025

Huntress found threat actors abusing Velociraptor for C2 after exploiting ToolShell (CVE-2025-49706) on SharePoint; MSI payloads traced to a common workers.dev host and a reused Cloudflare tunnel tag. #velociraptor #toolshell #CVE2025-49706 huntress.com/blog/velocirap…

Velociraptor Misuse, Pt. II: The Eye of the Storm | Huntress

Huntress reports an uptick in threat actors abusing the Velociraptor open-source DFIR tool, linked to incidents involving WSUS exploitation, VS Code tunnels, and more.

From huntress.com

166

Mr.Rabbit @01ra66it · Dec 2, 2025

新報告：SharePointのToolShell脆弱性 (CVE-2025-53770/53771) を狙い、Webシェルではなくインメモリ実行型ペイロードが使われている。ネットワークログ＆PCAPでのハンティング必須。#SharePoint #ToolShell #SANSISC isc.sans.edu/diary/32524

[Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads

[Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, Author: Jesse La Grew

From isc.sans.edu

685

Alexander Leonov @leonov_av · Nov 13, 2025

🔎 ToolShell's original SharePoint RCE (CVE-2025-49704): demoed at Pwn2Own; PoCs on GitHub; observed exploited in the wild since July 7. #Microsoft #ToolShell #SharePoint ➡️ t.me/avleonovcom/16…Z

244

Gamers_Rabo @Gamers_Rabo · Nov 13, 2025

🛡️【今日の出来事｜ラックが「LAC Security Insight 2025秋」公開】 2025年11月13日、株式会社ラックが最新レポート「LAC Security Insight 第14号 2025秋」を発表注目は「ToolShell」セキュリティ担当者必読 #セキュリティ #JSOC #ToolShell #マルウェア #LAC #インシデント対応 #脅威分析

Pierluigi Paganini - Security Affairs @securityaffairs · Oct 24, 2025

#China-linked hackers exploit patched #ToolShell flaw to breach Middle East Telecom securityaffairs.com/183800/securit… #securityaffairs #hacking @symantec

295

Cybersecurity News Everyday @TweetThreatNews · Oct 24, 2025

Chinese-linked hackers exploited the ToolShell SharePoint vulnerability (CVE-2025-53770) shortly after Microsoft’s patch, targeting telecoms in the Middle East and beyond using loaders like Zingdoor and KrustyLoader. #ToolShell #MiddleEast ift.tt/05a8Uyc

197

twelvesec @twelvesec · Oct 23, 2025

China associated #hackers have leveraged the #ToolShell #vulnerability (CVE-2025-53770) in #Microsoft #SharePoint #cyberattacks targeting government agencies, universities, telecommunication service providers, and finance organisations. #CyberSecurity ift.tt/SM98RkY

137

Cybersecurity News Everyday @TweetThreatNews · Oct 23, 2025

Warlock ransomware surfaced mid-2025 via exploitation of a Microsoft SharePoint zero-day (CVE-2025-53770), linked to China-backed group Storm-2603 using reused stolen certs and DLL sideloading techniques. #China #ToolShell #LockBit ift.tt/lZ8enaR

Warlock Ransomware: Old Actor, New Tricks?

Warlock emerged in June–July 2025 after being deployed via exploitation of the ToolShell Microsoft SharePoint zero-day (CVE-2025-53770) by a China-linked actor tracked as Storm-2603, which also used...

From hendryadrian.com

300

Cybersecurity News Everyday @TweetThreatNews · Oct 22, 2025

Chinese threat groups Linen Typhoon and Violet Typhoon exploit ToolShell vulnerability to breach governments, telecoms, and universities in Africa and South America, deploying Zingdoor, ShadowPad, and ransomware. #Africa #ToolShell #ChineseEspionage ift.tt/krOFM5q

101

omvapt @omvapt · Oct 22, 2025

#Sharepoint #ToolShell #attacks targeted orgs across four continents ift.tt/SM98RkY

E-TARD THE LIFECASTER @etard_webcam · Oct 22, 2025

"#Chinese Threat Actors #Exploit #ToolShell #SharePoint Flaw Weeks After #Microsoft's July Patch" thehackernews.com/2025/10/chines… I'm sure "FUCK Microsoft!!!!!!" is what many admin's are saying right now. @Microsoft=💩 #Linux =🐧 #CyberSecurityNews #TechNews #Windows #WindowsServerGW

199

Brier & Thorn México @BrierandThornMX · Oct 22, 2025

Actores de amenazas con vínculos con China explotaron la vulnerabilidad de seguridad de #ToolShell en #MicrosoftSharePoint para atacar a una empresa de telecomunicaciones en Medio Oriente. #2025 #Infosec #BT thehackernews.com/2025/10/chines…

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch

Chinese threat actors exploited a patched SharePoint flaw, CVE-2025-53770, in global espionage attacks.

From thehackernews.com

Threat Intelligence @threatintel · Oct 22, 2025

#Warlock #ransomware: Old actor, new tricks? - #ToolShell vuln used in attacks by China-based actor. Read more: security.com/threat-intelli…

Warlock Ransomware: Old Actor, New Tricks?

The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019.

From security.com

1.5K

Threat Intelligence @threatintel · Oct 22, 2025

#ToolShell Used to Compromise Telecoms Company in Middle East - #ZingDoor and #KrustyLoader also used in attacks that hit victims in a variety of countries and sectors. Read more: security.com/threat-intelli…

ToolShell Used to Compromise Telecoms Company in Middle East

China-based threat actors also compromised networks of government agencies in countries in Africa and South America.

From security.com

1.4K

SwitHak (👁) @SwitHak · Oct 22, 2025

#ToolShell Used to Compromise Telecoms Company in Middle East | By @symantec ↘️ security.com/blog-post/tool…

201