Attackers are not believed to have been linked to state-sponsored activity.
Palo Alto Networks Unit 42 researchers have begun an investigation into a purported 4L4MD4R ransomware attack facilitated by the exploitation of Microsoft SharePoint “ToolShell” vulnerabilities.
The researchers said that attackers have not only deactivated real-time Windows Defender monitoring via PowerShell commands, but also circumvented certificate validation to enable 4L4MD4R ransomware compromise.
The Unit 42 researchers, who are still looking into similar ransomware intrusions against other organisations, say the attackers are not believed to have been linked to state-sponsored activity.
According to Cybersecurity Dive more than 800 of 17,000 internet-exposed Microsoft SharePoint instances remained vulnerable to the critical flaw, tracked as CVE-2025-53770, with at least 20 of the said servers having been compromised with web shells, data from The Shadowserver Foundation revealed.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show.
Outside work, Dan supports Tottenham Hotspur, manages mischievous cats, and samples the finest craft beers.
