Linen Typhoon and Violet Typhoon ToolShell SharePoint initial-access campaign
Campaign
Summary
Hide ▲
Show ▼
Linen Typhoon and Violet Typhoon are tied to a strategic SharePoint initial-access campaign that is targeting government, defense, academia, and NGO organizations. The activity uses the ToolShell exploit chain against CVE-2025-53770 and CVE-2025-53771, making exposed SharePoint servers a high-risk entry point for follow-on compromise.
Related Happenings
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch Release
H score32
First: 17.06.2026 20:36
Last: 17.06.2026 20:36
Sources 1
About this happening:
**Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch ReleaseAbout this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Latest development: 09.07.2026 11:48
Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.
Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office
Trend
H score19
First: 19.05.2026 17:00
Last: 19.05.2026 17:00
Sources 1
About this happening:
Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...
Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office
TrendAbout this happening: Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/Service
H score25
First: 12.05.2026 09:55
Last: 12.05.2026 09:55
Sources 1
About this happening:
OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/ServiceAbout this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
Vulnerability
H score34
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
About this happening:
**CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
VulnerabilityAbout this happening: **CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
Operation PCPcat credential-exfiltration campaign
Campaign
H score89
First: 16.12.2025 10:21
Last: 16.12.2025 10:21
Sources 1
About this happening:
The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Operation PCPcat credential-exfiltration campaign
CampaignAbout this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Timeline
-
24.10.2025 14:29 1 articles · 8mo ago
ToolShell exploitation observed against internet-facing SharePoint servers
Exploitation ObservedActive exploitation of internet-facing SharePoint servers through ToolShell, using CVE-2025-53770 and CVE-2025-53771, was first observed in the wild on July 18, 2025.
Show sources
- Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction — www.infosecurity-magazine.com — 24.10.2025 14:29
-
23.10.2025 14:29 1 articles · 8mo ago
Talos IR links SharePoint compromise to later ransomware follow-on
Technical Analysis UpdateTalos IR said a victim organization hit by ToolShell exploitation against a SharePoint server later experienced a ransomware attack, and analysis indicated credential-stealing malware was moved from the affected public-facing SharePoint server to a SharePoint database server on the victim's internal network.
Show sources
- Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction — www.infosecurity-magazine.com — 24.10.2025 14:29