VERY IMPORTANT

On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East and Africa) region. While Unit 42 did not have access to the webshell itself, the webshell is likely a variant of the China Chopper server-side JScript. It appears that this is just one incident in a large-scale campaign either carried out by a single actor or multiple actors using a common toolset.