Webshell

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in‑process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off‑the‑shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)