Cybercriminals continue to target SharePoint servers aggressively. The vulnerabilities have been bombarded with ransomware for weeks to encrypt files and demand ransom.
Since the discovery of several critical vulnerabilities in SharePoint in July, the document platform has become a favored target. According to Unit 42, the research team of security company Palo Alto, hackers are developing new attack and ransomware variants to exploit the vulnerabilities.
Researchers detected an active ransomware campaign where malicious actors exploit four vulnerabilities in SharePoint, including CVE-2025-53770 and CVE-2025-49706. The attacks lead to the deployment of the 4L4MD4R ransomware, which encrypts files and demands ransom. In a blog, the attack method is described in detail.
SharePoint Attacked with Ransomware
The vulnerabilities have been actively exploited since July 17, 2025. The attacks target SharePoint servers through an attack chain known as ToolShell. A failed attempt on July 27 led to the discovery of ransomware downloaded from an external server.
The ransomware, a variant of the open-source Mauri870 project, is loaded into memory and encrypts local files. A ransom note then appears demanding payment.
Upon execution, the ransomware leaves two files on the desktop: DECRYPTION_INSTRUCTIONS.html and ENCRYPTED_LIST.html. Through a configured C2 server, the malware sends encrypted data from the affected system. The ransomware is distributed using PowerShell commands that disable real-time protection, among other things.
Changing Tactics
Behind the exploitation appears to be a group categorized by Unit 42 as CL-CRI-1040. The infrastructure and attack methods evolved during the campaign. The group switched between deploying .NET modules and web shells with similar functionality, depending on public attention and detection.
Prior to the attack, the perpetrators conduct reconnaissance using automated scripts. They use exit nodes to conceal their origin. Researchers observed an identical pattern of target scans and exploitation attempts each time, indicating the use of a pre-established target list.
The attack campaign shows overlap with a cluster that Microsoft designates as Storm-2603. One IP address has been linked to the same exploitation by both parties. The ransomware campaign proceeds in two clear phases: a preparatory phase and a phase where exploit code became publicly available.
Recommendations and Mitigation
The findings once again show that vulnerable SharePoint servers are actively targeted by hackers. Since the start of the attacks, at least four hundred servers have been affected.
read also
Cause of SharePoint Vulnerability Lies with “Incomplete” Patch by Microsoft
Microsoft has since released security updates for the involved vulnerabilities. It is crucial to install these patches, but that is not enough if attackers are already inside. Actively check your servers for signs of intrusion and disconnect them from the internet as soon as possible if suspicious activity is detected.