CVE-2025–53770/TOOLSHELL: HUNTING DOWN THE ATTACKER TECHNIQUES & VICTIMS

NOTE: This Investigative Report not only includes the data of advisories provided by Microsoft, Eye Security or Palo Alto Networks; however leveraged the malicious indicators to uncover few more indicators and extending the Research

INDEX

1. INTRODUCTION
2. GEO-IMPACT OF CURRENT TOOLSHELL EXPLOIT
3. TOOLSHELL EXPLOIT INTEL
 3.1 WEBPAGE EXPLOIT ANALYSIS
 3.1.1 THREAT HUNT
 3.2 SHELL COMMAND ANALYSIS
 3.2.1 Key Observations of Shell Commands
4. MITRE ATT&CK FRAMEWORK
5. POSSIBLE IOCS
6. QUICK GLANCE
7. IOC

INTRODUCTION

CVE-2025–53770 is a critical deserialization vulnerability affecting on-premises Microsoft SharePoint Server, and it’s already being actively exploited in the wild. Microsoft has acknowledged the threat and issued interim mitigations while a full patch is being finalized.

GEO-IMPACT OF CURRENT TOOLSHELL EXPLOIT

I ran different queries related to Sharepoint Services on various scanner platforms and found following data:-

NOTE: The results could be duplicated based on different parameters. Hence, you may encounter the same hosts while changing the filters however you may get an estimate from this record

Here are some snapshots of the same:

In the following record, we can see that this yields lowest result (#VictimCount). 

The following result yields from 16.0.0.10337 which is Sharepoint 2019 on-premise.

From the above query, it is found that most affected servers (using specific Sharepoint version) is Iran, followed by US, Ireland, Germany and Russia. 

This is different when compared with other parameters as US, Germany generally tops the list. 

So if you spot a large infection rate of Iran 🇮🇷, now you know which parameter did attackers use to exploit 😉 

Another interesting fact is Greece 🇬🇷 became the 5th most affected (SharePoint Usage) of “MicrosoftSharePointTeamServices: 16.0.0.17928” which is released on June 10, 2025. 

NOTE: It is also to note that some of the hosts has already moved away from the architecture which helps to mitigate the current exploit. 

One of the vulnerable open instance looks like this:-

TOOLSHELL EXPLOIT INTEL

Based on the indicators provided by the advisory of Eye Security; I am able to uncover few more indicators which could be useful for hunting the victims (for research purpose). 

The infection vector of this exploit was observed on 18th July 2025 as per Eye Security, however as per my investigation; the infection of this exploit started much before; on 25th June 2025 (a month back), by dropping a batch of files chained to the exploit file named “cve.ps1” (MD5: 8cfb22aa48af3815b127c24ad9662d76).

Threat Actors had used the most malicious files bundled together to evade detection (as some Sandbox evades .log files). One of the example here is: powershell.exe.log (MD5: bd3d4d19c81f11175d7f43234d3dc8d8). 

1. WEBPAGE EXPLOIT ANALYSIS

While checking the Contacted URLs of spinstall0.aspx, a URL is found to be contacted on 9th July 2025.

http://clients2.google.com/time/1/current?cup2key=8:qOPHuaj4LhASKGNjg7vDZTc_OZXu7qqtpjbUfr3G2ko&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This URL is a part of Google’s Client Update Protocol (CUP), specifically the CUPv2 ECDSA variant, which is used by Chrome and other Google software to verify update integrity when TLS alone isn’t sufficient.

It’s used to fetch time synchronization data or validate update freshness during Chrome’s background operations. The cup2key and cup2hreq parameters are part of the CUPv2 protocol:

• cup2key=8:... → identifies the keypair and nonce used for ECDSA signature verification.
• cup2hreq=... → is a SHA-256 hash of the request body, used to detect tampering.

NOTE: CUP ensures that update requests and responses haven’t been modified in transit. It’s a defense-in-depth mechanism, especially useful when TLS might be intercepted or proxied.

As this is connected to the malicious web page (ASPX), it is :

• Used as a decoy to blend malicious traffic with benign update checks.
• Spoofed to appear legitimate and bypass detection
• Triggered by embedded Chrome components (e.g., via w3wp.exe or sandboxed browser instances).

As it’s legitimate Google domain, it is assumed that the Threat Actors tried to blend the traffic with Google CUP to evade any alerts. 

NOTE: When you visit the URL, a file titled “json.txt” is being downloaded with your current time of the system sized at 1.03 KB.

The following parameter received at my end (when I ran the file):-

)]}'
{"current_time_millis":1753146203195,"server_nonce":-7.008606881669199E-93}

The current time is system time (When I ran the file) and The value -7.008606881669199E-93 is a very small negative floating-point number, likely a placeholder or malformed nonce. In CUPv2, the nonce is usually a 256-bit random value used to ensure freshness and prevent replay attacks.

BUT HERE IS THE CATCH…

When I again ran the file, I received another response:-

)]}'
{"current_time_millis":1753147400755,"server_nonce":4.9516339205539896E272}

This time, it’s a high value (As compared to last one). Hence, the astronomical difference between these values suggests that:-

• The file is not interacting with the real CUP endpoint/Spoofing CUP Behavior, OR
• It’s parsing the response incorrectly, possibly due to a broken or intentionally obfuscated implementation

A legitimate server_nonce is typically a 256-bit random value, often represented as a large integer or hex string — not a floating-point number in scientific notation.

Hence, we can conclude that a malware component mimicking CUP traffic with randomized or malformed nonce generation to evade detection or blend traffic as unnoticed. 

THREAT HUNT

If you want to catch the above-explained pattern, look for cup2key=8:qOPHuaj4LhASKGNjg7vDZTc_OZXu7qqtpjbUfr3G2ko and cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Here is the YARA Rule for detecting such CUP Spoofing:-

rule CUP_Nonce_Malformed_Artifact
{
    meta:
        description = "Detects CUP spoofing or emulation via malformed server_nonce values"
        author = "THE RAVEN FILE"
        threat_level = "medium"
        tags = ["CUP", "emulation", "sandbox-evasion", "behavioral-mimicry"]

    strings:
        $prefix = ")]}'" nocase
        $key_param = /cup2key=8:[A-Za-z0-9-_]+/
        $hreq_param = /cup2hreq=[a-f0-9]{64}/
        $nonce_float = /server_nonce\"\s*:\s*-?\d+\.\d+E[+-]?\d+/

    condition:
        any of ($prefix, $key_param, $hreq_param) and
        $nonce_float
}

Potentially found IPs are added at the end of this section titled “POSSIBLE IOCs”.

2. SHELL COMMAND ANALYSIS

While digging deep into the inputted Shell Commands, following details are observed:-

Abuse of Microsoft Edge Utility Processes in Exploit Chain

During forensic analysis of a SharePoint exploit, three distinct Microsoft Edge invocations were identified. Each serves a unique function within Chromium’s architecture, yet collectively reveals a strategy of behavioral mimicry and sandbox evasion:

1. Network Utility Process

msedge.exe — type=utility — utility-sub-type=network.mojom.NetworkService — service-sandbox-type=none …

• -> Launches Edge’s background network service.
• -> Sandboxing is explicitly disabled, allowing elevated operations with reduced restrictions.
• -> Potentially abused to initiate network calls that evade firewall rules or proxy filters by appearing browser-native.

2. Crashpad Handler

msedge.exe — type=crashpad-handler — user-data-dir=… — database=… — annotation=… …

• -> Manually invokes Chromium’s crash telemetry service.
• -> Spoofs build and version metadata using ` — annotation` flags.
• -> May be used to suppress legitimate error reporting or fingerprint execution environments, especially in sandboxed setups.

3. GPU Process

msedge.exe — type=gpu-process — gpu-preferences=WAAAAAAAAADgAAAM… — no-appcompat-clear …

• -> Launches Edge’s GPU rendering engine silently.
• -> Uses a base64-encoded preference string to customize GPU behavior.
• -> This component is frequently targeted to bypass GPU sandboxing, allocate memory buffers, or trigger rendering-based evasion techniques.

Key Observations of Shell Commands

• -> Silent execution via modular Chromium components prevents visual cues.
• -> Sandbox evasion flags (` — service-sandbox-type=none`, ` — no-appcompat-clear`) appear consistently.
• -> Invocations likely stem from a non-browser parent process, indicating malicious control over browser utilities.
• -> Aligns with tactics seen in behavioral mimicry and tooling overlap with other post-exploitation frameworks.

Here is the YARA Rule for detecting the above:-

rule Edge_Utility_Abuse_SharePointExploit
{
    meta:
        description = "Detects Microsoft Edge utility process abuse seen in SharePoint exploit chains"
        author = "THE RAVEN FILE"
        threat_level = "medium"
        tags = ["Edge", "utility", "sandbox-evasion", "behavioral-mimicry", "SharePoint"]
        version = "1.0"

    strings:
        // Network service abuse
        $net_util_type = "--type=utility"
        $net_subtype = "network.mojom.NetworkService"
        $disable_sandbox = "--service-sandbox-type=none"

        // Crashpad manipulation
        $crashpad_type = "--type=crashpad-handler"
        $annotation_build = "--annotation=IsOfficialBuild=1"
        $annotation_exe = "--annotation=exe="
        $annotation_chromium = "--annotation=chromium-version="

        // GPU abuse
        $gpu_type = "--type=gpu-process"
        $gpu_preferences = "--gpu-preferences="
        $no_compat_clear = "--no-appcompat-clear"

        // Shared signals
        $prefetch2 = "/prefetch:2"
        $prefetch3 = "/prefetch:3"
        $prefetch4 = "/prefetch:4"
        $mojo_channel = "--mojo-platform-channel-handle="
        $field_trial = "--field-trial-handle="

    condition:
        4 of ($net_util_type, $disable_sandbox, $crashpad_type, $annotation_build,
              $gpu_type, $gpu_preferences, $no_compat_clear,
              $prefetch2, $prefetch3, $prefetch4,
              $mojo_channel, $field_trial)
}

It detects:-

• Abuse of Edge’s network service, GPU process, or Crashpad handler

• Manual invocations that should normally be internal or browser-controlled

• Consistent flags like --service-sandbox-type=none, annotated metadata, and base64-style GPU prefs

• Prefetch values that suggest startup performance tuning — common in stealthy execution

MITRE ATT&CK FRAMEWORK

I am sharing the MITRE ATT&CK TECHNIQUES for the above-explained 2 cases.

CUP Protocol Abuse (Client Update Protocol Spoofing)

Edge Utility Shell Command Abuse

POSSIBLE IOCS

Here are some of the IOCs based on the enriched IOCs. 

These domains could be associated with ToolShell CVE-2025–53700 , as it’s associated with IP: 204.79.197.203 which is a Microsoft Server repeatedly used in the ToolShell Exploit. 

• tu9srvbirvvtmjmkby5hb2xjzg4uy29t.g00.msn.com
• tu9srvbirvvtmjmkdxmuzmxpchauy29t.g00.msn.com
• tu9srvbirvvtmtkkzwiyljnsawz0lmnvbq00.g00.msn.com
• tu9srvbirvvtmjikzglzlmnyaxrlby5jb200.g00.msn.com

A batch of IPs found for the above-explained CUP Spoofing Webpage:-

• 162.159.36.2
• 199.232.210.172
• 199.232.214.172
• 20.59.87.226

QUICK GLANCE

1. The Attacker had relied on Microsoft, Google Cloudflare, Akamai, and Fastly Servers for communication 
2. The only different hosting provider other than the mentioned is: G-Core Labs
3. G-Core Labs was previously used in 0-Day Exploitation back in 2023 for Barracuda ESG Zero-Day and ArcaneDoor Campaign in 2024
4. Using old malicious files such as Log Files to evade detection
5. The Attacker used VULTR Server to host malicious exploits

Check Microsoft Official Documentation for the Security Practices here.

IOC

DOMAINS
=======
tu9srvbirvvtmjmkby5hb2xjzg4uy29t.g00.msn.com
tu9srvbirvvtmjmkdxmuzmxpchauy29t.g00.msn.com
tu9srvbirvvtmtkkzwiyljnsawz0lmnvbq00.g00.msn.com
tu9srvbirvvtmjikzglzlmnyaxrlby5jb200.g00.msn.com

MD5
===
d0bccf604f3721ec41f1142dda23f32f
c4cbf79c7121e72888b56a670ac297e2
8cfb22aa48af3815b127c24ad9662d76
02b4571470d83163d103112f07f1c434

IP ADDRESS
==========
52.111.236.22
107.191.58.76
104.238.159.149
96.9.125.147
45.77.155.170
45.191.66.77
34.72.225.196
34.121.207.116
162.159.36.2
199.232.210.172
199.232.214.172
20.59.87.226

MUTEX
=====
\BaseNamedObjects\Local\SM0:1360:120:WilError_03
\BaseNamedObjects\Local\SM0:1360:304:WilStaging_02
\BaseNamedObjects\Local\SM0:1764:120:WilError_03
\BaseNamedObjects\Local\SM0:1764:304:WilStaging_02
\BaseNamedObjects\Local\SM0:1440:120:WilError_03
\BaseNamedObjects\Local\SM0:1440:304:WilStaging_02
\BaseNamedObjects\Local\ZonesCacheCounterMutex
\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex
\Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex

SHELL COMMANDS
==============

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\<USER>\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\<USER>\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x32c,0x330,0x334,0x320,0x33c,0x7ffe36245fd8,0x7ffe36245fe4,0x7ffe36245ff0

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2008 --field-trial-handle=2012,i,12650265738373312090,18255860307602277582,262144 --variations-seed-version /prefetch:2

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2348 --field-trial-handle=2012,i,12650265738373312090,18255860307602277582,262144 --variations-seed-version /
prefetch:3

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! 😉

NOTE:- The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.