Linen Typhoon and Violet Typhoon ToolShell SharePoint initial-access campaign
Campaign
Summary
Hide ▲
Show ▼
Linen Typhoon and Violet Typhoon are tied to a strategic SharePoint initial-access campaign that is targeting government, defense, academia, and NGO organizations. The activity uses the ToolShell exploit chain against CVE-2025-53770 and CVE-2025-53771, making exposed SharePoint servers a high-risk entry point for follow-on compromise.
Related Happenings
Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office
Target Trend
First: 19.05.2026 17:00
Last: 19.05.2026 17:00
Sources 1
About this happening:
Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...
Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office
Target TrendAbout this happening: Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
Vulnerability
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
About this happening:
**CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
VulnerabilityAbout this happening: **CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
Operation PCPcat credential-exfiltration campaign
Campaign
First: 16.12.2025 10:21
Last: 16.12.2025 10:21
Sources 1
About this happening:
The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Operation PCPcat credential-exfiltration campaign
CampaignAbout this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Clop Oracle E-Business Suite extortion campaign
Campaign
First: 06.10.2025 04:37
Last: 06.10.2025 04:37
Sources 1
About this happening:
**Clop**'s **Oracle E-Business Suite** extortion campaign has now been tied to **LKQ**, which was named by the group on its leak site as one of the first victims. The broader camp...
Clop Oracle E-Business Suite extortion campaign
CampaignAbout this happening: **Clop**'s **Oracle E-Business Suite** extortion campaign has now been tied to **LKQ**, which was named by the group on its leak site as one of the first victims. The broader camp...
Latest development: 14.10.2025 19:38
Mandiant and Google began tracking a new extortion campaign in which companies received emails claiming sensitive data had been stolen from their Oracle E-Business Suite systems, and Oracle told customers to install the latest Critical Patch Updates after saying Clop was exploiting an EBS flaw patched in July 2025.
SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
Vulnerability
First: 11.09.2025 19:32
Last: 11.09.2025 19:32
Sources 1
About this happening:
**CVE-2024-40766** is a **SonicWall SSL VPN** access control flaw that has been **actively exploited** to breach exposed devices, with **Akira ransomware** tied to the campaign. R...
SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)
VulnerabilityAbout this happening: **CVE-2024-40766** is a **SonicWall SSL VPN** access control flaw that has been **actively exploited** to breach exposed devices, with **Akira ransomware** tied to the campaign. R...
Latest development: 29.09.2025 12:32
Akira ransomware remains active against SonicWall firewalls, with Arctic Wolf observing dozens of incidents over the past three months tied to CVE-2024-40766 abuse, SSL VPN logins from VPS hosting providers, Impacket SMB activity, and Active Directory discovery. The campaign targets SSL VPN accounts using OTP MFA, and Barracuda separately observed Akira affiliates using Datto RMM, backup agents, and PowerShell to gain control while avoiding security alerts.
Timeline
-
24.10.2025 14:29 1 articles · 7mo ago
ToolShell exploitation observed against internet-facing SharePoint servers
Exploitation ObservedActive exploitation of internet-facing SharePoint servers through ToolShell, using CVE-2025-53770 and CVE-2025-53771, was first observed in the wild on July 18, 2025.
Show sources
- Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction — www.infosecurity-magazine.com — 24.10.2025 14:29
-
23.10.2025 14:29 1 articles · 7mo ago
Talos IR links SharePoint compromise to later ransomware follow-on
Technical Analysis UpdateTalos IR said a victim organization hit by ToolShell exploitation against a SharePoint server later experienced a ransomware attack, and analysis indicated credential-stealing malware was moved from the affected public-facing SharePoint server to a SharePoint database server on the victim's internal network.
Show sources
- Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction — www.infosecurity-magazine.com — 24.10.2025 14:29