Hello and welcome to the Tuesday, December 2nd, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Dallas, Texas.

And this episode is brought you by the Sands.edu, graduate certificate program in cybersecurity leadership.

Well, today's diary is yet another contribution by our undergraduate interns.

This time James Whitworth is talking about analyzing tool shell payloads.

This is the SharePoint vulnerability that came out a month or two months ago

and has been quite busy since then.

There are still plenty of scans for this vulnerability.

And James is explaining a little bit how to analyze the payloads

that you can extract from packet captures.

James is going over all the details here, how to extract the required PCAP files from SEAC,

and then how to get the payloads from those PCAP files,

and then later analyzing the deserilization payloads from

these extracts. There are a couple interesting newer exploits or variations of this exploit

that James found, for example, one that actually delivers a nucleus scanner template,

and then a second one that includes encoded power shell commands,

and of course James will show how to decode these power shell commands

and get to the bottom of what this particular payload is trying to accomplish.

Very nice technical deep dive into the analysis of this vulnerability and hopefully something that can be used by others

in order to discover what's going on currently with this tool shell vulnerability.

And Google today announced its security update for Android for

December 2025. This update as usual fixes a large number of different vulnerabilities. Noteworthy

...