CVE-2025–53770/TOOLSHELL: HUNTING DOWN THE ATTACKER TECHNIQUES & VICTIMS

This investigative report documents active exploitation of CVE-2025-53770 (a critical SharePoint deserialization flaw), observed as early as 25 June 2025, and details the exploit chain, malicious artifacts (including cve.ps1 and other payload MD5s), CUP protocol spoofing used as a decoy, abuse of Microsoft Edge utility processes for sandbox evasion, YARA detection rules, and a set of domains, IPs, mutexes and shell commands to aid threat hunting and mitigation.