A new wave of cyberattacks exploiting Microsoft SharePoint vulnerabilities has affected over 148 organizations globally. Ransomware gang 4L4MD4R joins forces with state-backed Chinese actors in a sophisticated digital siege, leaving global systems encrypted and held for ransom.
Algoritha Security Launches ‘Make in India’ Cyber Lab for Educational Institutions
Chinese State-Backed Hackers, 4L4MD4R Gang Exploit Zero-Days in Coordinated Attack
A coordinated wave of cyberattacks has compromised more than 148 organizations worldwide using a newly uncovered SharePoint vulnerability chain dubbed “ToolShell.” The attackers include Chinese state-sponsored groups and a ransomware gang deploying a new variant named 4L4MD4R, derived from open-source malware.
Palo Alto Networks’ Unit 42 discovered this active ransomware operation after analyzing incidents that used malicious PowerShell commands to disable system defenses. Once compromised, the infected system receives an encrypted payload, decrypts it in memory, and launches the ransomware, encrypting all files and demanding 0.005 Bitcoin in ransom.
Microsoft attributed the exploit to Linen Typhoon, Violet Typhoon, and Storm-2603, three Chinese government-linked groups. These groups are allegedly behind the compromise of major U.S. entities, including the Department of Education and the National Nuclear Security Administration.
Zero-Days Weaponized: Inside the Exploited CVEs and Patch Failures
The initial foothold was gained using two vulnerabilities, CVE-2025-49706 and CVE-2025-49704, which were allegedly being exploited even in fully patched SharePoint servers. The attack’s stealth and persistence led Microsoft to reclassify the threats under new CVE tags: CVE-2025-53770 and CVE-2025-53771.
Despite releasing fixes in July’s Patch Tuesday updates, the malware had already spread across 400 servers. Cybersecurity firm Eye Security noted that many systems had remained compromised for weeks or months, undetected. The Cybersecurity and Infrastructure Security Agency (CISA) has since ordered federal institutions to patch the vulnerability chain within 24 hours.
Centre for Police Technology
Global Fallout: Governments, Telecom Giants, and Critical Infrastructure Compromised
Victims of the ToolShell campaign include not only U.S. departments but also European, Middle Eastern, and North American government entities, telecom networks, and tech firms. Experts fear this signals a new phase of hybrid cyberwarfare, blending espionage, sabotage, and financial extortion.
The ransomware notes found on infected systems instruct victims to contact attackers via anonymous platforms, echoing the tactics of other ransomware-as-a-service (RaaS) gangs.
Security officials warn that this might be just the beginning. Piet Kerkhofs, CTO of Eye Security, has stated that the sophistication, scale, and simultaneous involvement of multiple threat actors point to a coordinated cyber offensive.
