@cyb3rops : Follow-up on CVE-25025-53770 (“ToolShell”) detection: The attackers used a dropper that wrote the web shell to spinstall0.aspx, but that filename isn’t required. It’s just what we’ve seen in this particular campaign. The same payload could’ve been dropped under a different name. • TwiCopy

Florian Roth ⚡️

@cyb3rops

+ Follow

Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim

ID: 1538299243

linkhttps://linktr.ee/cyb3rops calendar_today22-06-2013 08:46:16

34,34K Tweet

197,197K Followers

2,2K Following

Florian Roth ⚡️

@cyb3rops

a month ago

Follow-up on CVE-2025-53770 (“ToolShell”) detection: The attackers used a dropper that wrote the web shell to spinstall0.aspx, but that filename isn’t required. It’s just what we’ve seen in this particular campaign. The same payload could’ve been dropped under a different name.

thumb_up_off_alt148

chat_bubble_outline4

repeat35

shareShare