Religious symbols weaponized, group uses Microsoft SharePoint RCE vulnerability to deliver 4L4MD4r ransomware

Aug. 1, 2025, 11:59 a.m.

Description

A serious remote code execution vulnerability in Microsoft SharePoint servers was exploited by hackers, affecting tens of thousands of servers globally. The mimo attack group, a financially motivated threat actor, utilized this vulnerability to deliver the 4L4MD4r ransomware, written in Golang and featuring function names with strong religious overtones. The attack chain involved downloading the payload from an Italian intermediary website and executing it. The ransomware encrypts files, renames them to base64 format, and leaves ransom notes. Despite 40 transactions recorded in the provided Bitcoin wallet, no ransoms of 0.005 BTC have been paid yet, indicating no victims have complied with the demands so far.

External References

https://mp.weixin.qq.com/s/h6_ijQAHhq4tersaBE5fXQ
https://otx.alienvault.com/pulse/688ca78ff00082bce0dc1d5e
Tags
ransomware
microsoft
golang
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
2025-08-01
4l4md4r
religious symbols

Date

  • Created: Aug. 1, 2025, 11:39 a.m.
  • Published: Aug. 1, 2025, 11:39 a.m.
  • Modified: Aug. 1, 2025, 11:59 a.m.

Indicators

  • 33067028e35982c7b9fdcfe25eb4029463542451fdff454007832cf953feaf1e
  • https://ice.theinnovationfactory.it/static/4l4md4r.exe
Download all indicators here!

Attack Patterns

  • 4L4MD4r
  • mimo

Additional Informations

  • Healthcare
  • Italy

Linked vulnerabilities

CVE-2025-49704

None
Published:

CVE-2025-49706

None
Published:

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025

CVE-2025-53771

7.1
    Microsoft
  • Office Sharepoint
Published: July 20, 2025