SANS Stormcast Tuesday, December 2nd, 2025: Analyzing ToolShell from Packdets; Android Update; Long Game Malicious Browser Ext.

December 01, 2025

Episode Transcript

Hunting for SharePoint In-Memory ToolShell Payloads
A walk-through showing how to analyze ToolShell payloads, starting with acquiring packets all the way to decoding embedded PowerShell commands.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Hunting%20for%20SharePoint%20In-Memory%20ToolShell%20Payloads/32524
Android Security Bulletin December 2025
Google fixed numerous vulnerabilities with its December Android update. Two of these vulnerabilities are already being exploited.
https://source.android.com/docs/security/bulletin/2025-12-01
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
A group or individual released several browser extensions that worked fine for years until an update injected malicious code into the extension
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, December 2nd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Dallas, Texas. This episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Well, today's diary is yet another contribution by our underrated interns. This time, James Woodworth is talking about analyzing ToolShell payloads. This is the SharePoint vulnerability that came out a month or two months ago and has been quite busy since then. There are still plenty of scans for this vulnerability. And James is explaining a little bit how to analyze the payloads that you can extract from packet captures. James is going over all the details here, how to extract the required PCAP files from seek, and then how to get the payloads from those PCAP files, and then later analyzing the deserialization payloads from these extracts. There are a couple interesting newer exploits or variations of this exploit that James found. For example, one that actually delivers a Nuclea scanner template, and then a second one that includes encoded PowerShell commands. And of course, James will show how to decode these PowerShell commands and get to the bottom of what this particular payload is trying to accomplish. Very nice technical deep dive into the analysis of this vulnerability, and hopefully something that can be used by others in order to discover what's going on currently with this ToolShell vulnerability. And Google today announced its security update for Android for December 2025. This update as usual fixes a large number of different vulnerabilities. Noteworthy are two vulnerabilities in framework that are already being exploited in limited attacks in the wild. One of them is information disclosure vulnerability, the other an elevation of privilege of vulnerability. Framework tends to be one of those components that does have numerous vulnerabilities. Just this month, about 35 different vulnerabilities are being addressed in framework. And again, two of them are already being exploited. So as this update becomes available for your particular Android phone, apply it as quickly as possible. And Koi Security came across a pretty scary browser extension campaign. This campaign that they are calling ShadyPanda went over seven years. And what makes it so scary is that the attacker here apparently was playing the long game, where they first published an extension and the extension worked just fine and provided a more or less useful service to the user that worked as advertised. But after a few years and accumulating in some cases several hundred thousands of users, the developer was then publishing a malicious version of that extension that in some cases allowed remote code execution or in some of the more successful larger cases just installed some spyware that essentially was then weaponizing the extension that the user had installed in order to track their browsing habits. They call it ShadyPanda because it is apparently linked to a Chinese group or individual that created these extensions. The ultimate purpose here I don't think is quite that clear. I wouldn't really say that this is something like nation state or such. It in some ways, particularly looking at the spyware, almost looks to me like this is a very skilled developer who may have originally developed these extensions, maybe just out of interest and trying to provide some useful service, but maybe then got a little bit disappointed, wanted to monetize these extensions and well then fell down the trap of using some malicious user tracking. And so to accomplish that, at least that's I think one explanation what's going on here. In particular, when you look at the spyware, I don't think there is really much else that the attacker could have really done here with this data, but sell it for some advertising first as such. They also did some search injection where essentially they injected banner ads, which also sort of fits that particular money making scheme. We'll see if there's any more to it. But Coy does a pretty good job in analyzing what these extensions do and also pointing out the similarities, why these extensions are created by the same individual or group and how they are sharing some of their infrastructure, how they are sharing some of the code features. The big problem is how do you protect yourself from this? I don't think turning off auto update is the solution here because you probably would not have spotted these changes as malicious as sort of just an average user trying to review the code. Well, that's it for today. So thanks for listening. Thanks for liking and thanks for subscribing to this podcast and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show