Find notable cyber news and cases, enriched with sources, timelines, and signals.

Linen Typhoon and Violet Typhoon ToolShell SharePoint initial-access campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Linen Typhoon and Violet Typhoon are tied to a strategic SharePoint initial-access campaign that is targeting government, defense, academia, and NGO organizations. The activity uses the ToolShell exploit chain against CVE-2025-53770 and CVE-2025-53771, making exposed SharePoint servers a high-risk entry point for follow-on compromise.

Related Happenings

Microsoft releases RoguePlanet Defender security update for CVE-2026-50656

Security Patch Release
H score32 First: 17.06.2026 20:36 Last: 17.06.2026 20:36 Sources 1

About this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...

Latest development: 09.07.2026 11:48

Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.

Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office

Trend
H score19 First: 19.05.2026 17:00 Last: 19.05.2026 17:00 Sources 1

About this happening: Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...

OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation

Security Tool/Service
H score25 First: 12.05.2026 09:55 Last: 12.05.2026 09:55 Sources 1

About this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...

Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)

Vulnerability
H score34 First: 16.01.2026 09:18 Last: 16.01.2026 09:18 Sources 1

About this happening: **CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...

Operation PCPcat credential-exfiltration campaign

Campaign
H score89 First: 16.12.2025 10:21 Last: 16.12.2025 10:21 Sources 1

About this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...

Timeline

  1. 24.10.2025 14:29 1 articles · 8mo ago

    ToolShell exploitation observed against internet-facing SharePoint servers

    Exploitation Observed

    Active exploitation of internet-facing SharePoint servers through ToolShell, using CVE-2025-53770 and CVE-2025-53771, was first observed in the wild on July 18, 2025.

    Show sources
  2. 23.10.2025 14:29 1 articles · 8mo ago

    Talos IR links SharePoint compromise to later ransomware follow-on

    Technical Analysis Update

    Talos IR said a victim organization hit by ToolShell exploitation against a SharePoint server later experienced a ransomware attack, and analysis indicated credential-stealing malware was moved from the affected public-facing SharePoint server to a SharePoint database server on the victim's internal network.

    Show sources