Microsoft SharePoint Attacks: 4L4MD4R Ransomware Hits 148+ Firms

At TecnetOne, we want to keep you informed about the latest threats that could endanger your business continuity. Today we report on a new wave of attacks targeting Microsoft SharePoint vulnerabilities, already affecting more than 148 organizations worldwide.

The most concerning aspect is that ransomware groups have joined this campaign, raising the danger level even higher for businesses and public institutions. Among the most notable threats is the 4L4MD4R ransomware, a variant discovered just days ago and already wreaking havoc.

Below, we’ll explain in detail how this threat works, which organizations have already been victimized, and most importantly, what you can do to protect yourself.

What’s Happening with Microsoft SharePoint?

In recent weeks, researchers at Palo Alto Networks Unit 42 identified an exploit chain in SharePoint called ToolShell. Various malicious actors have leveraged it to compromise servers and, in many cases, deploy ransomware.

Alarmingly, this is no ordinary campaign. According to Microsoft and Google, China-backed hacking groups are behind the attacks, including Linen Typhoon, Violet Typhoon, and Storm-2603.

The impact is already global:

1. In the United States, agencies such as the National Nuclear Security Administration and the Department of Education were targeted.

1. Across Europe and the Middle East, several government networks have been compromised.

1. Tech companies, telecom providers, and multinationals have been targeted since early July.

In other words: No one is safe without swift action.

The 4L4MD4R Ransomware: How It Works

On July 27, researchers detected a malware loader that downloaded and executed the 4L4MD4R ransomware from a compromised server.

Its functionality is both sophisticated and dangerous:

1. Developed in GoLang and packed with UPX to evade detection.

1. Uses AES encryption in memory, loading the PE file without leaving easy-to-detect traces.

1. Once active, it encrypts all files on the infected system.

1. Demands a ransom of 0.005 Bitcoin (roughly a few hundred dollars, depending on market value).

1. Creates ransom notes and file lists, pressuring victims to pay.

It also attempts to disable security monitoring on the device, making it even more dangerous as it can remain undetected longer.

Related reading: New Zero-Day in SharePoint (CVE-2025-53770): Update Now!

The Vulnerabilities: SharePoint’s Achilles Heel

The ToolShell attacks exploited two critical vulnerabilities:

1. CVE-2025-49706

1. CVE-2025-49704

These were used as zero-days, meaning they were unknown to developers at the time of the attack, allowing cybercriminals to infiltrate supposedly up-to-date systems.

Microsoft later released patches during its July 2025 Patch Tuesday, assigning new identifiers:

1. CVE-2025-53770

1. CVE-2025-53771

However, the update came too late for many organizations already compromised. According to Dutch firm Eye Security, at least 400 servers were infected, impacting more than 148 companies.

4L4MD4R decryption instructions (Source: BLEEPINGCOMPUTER)

The True Scale of the Attack

Initially, estimates suggested about 54 organizations had been affected. However, new investigations reveal the scope is much larger.

Eye Security confirmed attackers had persistent access to many victims’ networks, meaning they could not only deploy ransomware but also exfiltrate sensitive data.

The U.S. CISA (Cybersecurity and Infrastructure Security Agency) classified one of the exploited vulnerabilities as high risk, ordering federal agencies to secure systems within 24 hours.

This paints a clear picture: this isn’t opportunistic — it’s a well-funded, organized campaign with strategic targets.

What This Means for Your Business

While it may seem these attacks only affect large institutions, the reality is that any organization using Microsoft SharePoint is at risk — especially if systems are not updated or lack additional security layers.

The consequences can be devastating:

1. Loss of critical data: essential business files encrypted.

1. Operational disruption: systems inaccessible for hours or days.

1. Financial impact: ransom payments, regulatory fines, and recovery costs.

1. Reputational damage: loss of customer trust and credibility.

In short: this is not a hypothetical threat — it’s already hitting hundreds of organizations like yours.

How to Protect Yourself Against These Threats

At TecnetOne, we recommend taking immediate action with the following measures:

Apply Microsoft Patches Without Delay

Ensure your SharePoint servers are updated with the July 2025 patches.

Strengthen Security with Advanced Detection Solutions

Solutions like Sophos Intercept X use AI and behavior detection to stop even unknown threats.

Continuously Monitor Your Infrastructure

Deploy monitoring systems that can detect unusual activity and exploitation attempts.

Restrict Privileges and Access

Apply the principle of least privilege: each user should have only the access they need.

Implement Incident Response Plans

Having a clear protocol reduces the impact of attacks and speeds up recovery.

Perform Regular, Secure Backups

Ensure backups are offline or isolated from your main network to prevent them from being encrypted by ransomware.

Related reading: Microsoft Links SharePoint Attacks to Chinese Hacker Groups

Conclusion: Prevention Is Your Best Defense

The SharePoint server attacks are a reminder that cybersecurity cannot be left to chance. Today more than ever, you need reliable, up-to-date solutions backed by experts.

At TecnetOne, we’re here to help you implement best practices and robust solutions, including Sophos Endpoint and Intercept X, to strengthen your infrastructure and shield your organization from threats like 4L4MD4R.

The key is not waiting to become a victim. The sooner you act, the better protected your business will be against increasingly sophisticated and destructive campaigns.