Threat actors continue to exploit ToolShell to gain unauthorized access to on-premises SharePoint servers. On August 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report after analyzing six files “including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.”

The report includes the indicators of compromise and detection signatures to identify malware samples. The report also includes an analysis of YARA Rules, Sigma Rules, ssdeep matches, screenshots, PE Metadata, PE Sections, Packers/Compilers/Cyrptors, Tags and Details.

If your organization has been, or is potentially affected by ToolShell, take advantage of CISA’s analysis and use it to mitigate any potential effect on your company.