Exploit:Script/SuspSignoutReqBody.A

Exploit:Script/SuspSignoutReqBody.A is a harmful script that uses critical vulnerabilities in on-premise SharePoint Server. The threat actor initiates the cyber-attack through POST requests to the ToolPane endpoint in SharePoint, exploiting a second vulnerability in SharePoint (CVE-2025-49706) that allows bypassing of authentication. Another code in this request is serialized and once SharePoint parses these payloads, it effectively leads to remote code execution (RCE), allowing the threat actor to control the vulnerable SharePoint server.

The malicious script runs ASPX web shells (typically spinstall0.aspx or spinstall1.aspx) in the SharePoint layout (\TEMPLATE\LAYOUTS), with the aim of collecting ASP.NET machine keys from the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Then using those keys to decrypt the authentication cookies and create administrative credentials for maintaining persistence, escalating privileges, and crawling the network.

The script runs its own support services which included IIS_Server_dll.dll (a backdoor for persistent access), SharpHostInfo.x64.exe (a reconnaissance tool to enumerate NetBIOS and other SMB shares), and xd.exe (a reverse proxy for covert C2). Depending upon the motivation of the threat actor, it can be used for deploying ransomware or for intelligence collection.

Due to the nature of the exploit, the threat is extremely severe, no authentications are required, and any exposure to the Internet that is running an unpatched SharePoint server is at immediate risk. Moreover, the threat actor uses the genuine SharePoint processes (w3wp.exe) to launch malicious commands makes detection more difficult without proper endpoint monitoring. It is critical to install the official SharePoint patch from Microsoft.

Exploit:Script/SuspSignoutReqBody.A drops the following files:

• \TEMPLATE\LAYOUTS\spinstall0.aspx
• \TEMPLATE\LAYOUTS\debug_dev.js
• \TEMPLATE\LAYOUTS\IIS_Server_dll.dll
• C:\Windows\System32\SharpHostInfo.x64.exe
• C:\Windows\System32\xd.exe

It uses the following process:

• w3wp.exe (which launches cmd.exe or powershell.exe for command line functions)

It modifies the following Windows Registry keys:

• HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection (value: DisableRealtimeMonitoring=1)
• HKLM\SOFTWARE\Microsoft\ASP.NET (planted .NET assemblies from the script)

Exploit:Script/SuspSignoutReqBody.A communicates to the following hosts:

• 131[.]226.2[.]6
• 134[.]199.202[.]205
• 104[.]238.159[.]149
• 188[.]130.206[.]168

The script connects to the following URLs:

• c34718cbb4c6.ngrok-free[.]app/file[.]ps1