In a series of sophisticated cyber intrusions, Chinese-affiliated threat groups have exploited the ToolShell vulnerability in Microsoft SharePoint servers, targeting a diverse array of organizations worldwide. These attacks occurred despite Microsoft releasing patches in July 2025, underscoring the persistent threat posed by state-sponsored cyber actors.
Scope of the Attacks
The Symantec Threat Hunter Team, a division of Broadcom, has identified that these cyber assaults have impacted:
– A telecommunications company in the Middle East.
– Government departments in an African nation.
– Government agencies in South America.
– A university in the United States.
– Potentially, a state technology agency in Africa, a Middle Eastern government department, and a European financial institution.
Exploitation of CVE-2025-53770
Central to these breaches is the exploitation of CVE-2025-53770, a critical security flaw in on-premise SharePoint servers. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code, granting them unauthorized access to sensitive systems. Notably, CVE-2025-53770 is considered a patch bypass for earlier vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which were also addressed in Microsoft’s July 2025 security updates.
Involvement of Multiple Chinese Threat Groups
The exploitation of this vulnerability has been linked to several Chinese state-sponsored hacking groups:
– Linen Typhoon (Budworm): Known for its cyber espionage activities targeting various sectors.
– Violet Typhoon (Sheathminer): Engages in cyber operations with a focus on intelligence gathering.
– Storm-2603: Recently associated with deploying ransomware families such as Warlock, LockBit, and Babuk.
Symantec’s findings suggest that the ToolShell vulnerability has been exploited by an even broader spectrum of Chinese threat actors. Notably, the Salt Typhoon group, also known as Glowworm, has utilized this flaw to deploy malicious tools like Zingdoor, ShadowPad, and KrustyLoader against targeted entities.
Deployment of Advanced Malware
The attackers have employed sophisticated malware to maintain persistent access and exfiltrate data:
– KrustyLoader: A Rust-based loader first detailed by Synacktiv in January 2024. It has been previously used by the Chinese espionage group UNC5221 in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.
– ShadowPad: A modular backdoor that provides extensive control over compromised systems.
– Zingdoor: A lesser-known tool used for establishing footholds within targeted networks.
Attack Methodology
The cyber actors employed a multi-faceted approach to infiltrate and exploit target systems:
1. Initial Access: Utilized unspecified vulnerabilities to gain entry into the networks of government agencies in South America and a U.S. university.
2. Exploitation of Servers: Targeted SQL servers and Apache HTTP servers running Adobe ColdFusion to deliver malicious payloads through DLL side-loading techniques.
3. Privilege Escalation: In certain instances, exploited CVE-2021-36942, known as PetitPotam, to escalate privileges and achieve domain compromise.
4. Use of Living-off-the-Land (LotL) Tools: Employed readily available tools to conduct network scanning, download files, and steal credentials, thereby minimizing the likelihood of detection.
Attribution and Intent
While there is some overlap in the types of victims and tools used between this activity and previous operations attributed to Glowworm, Symantec notes that there is insufficient evidence to conclusively attribute this activity to a specific group. However, all indicators point to the involvement of China-based threat actors. The attackers’ activities suggest a focus on credential theft and establishing persistent, stealthy access to victim networks, likely for espionage purposes.
Implications and Recommendations
These incidents highlight the critical importance of timely patch management and the need for organizations to remain vigilant against emerging threats. Despite the availability of patches, the continued exploitation of known vulnerabilities underscores the necessity for:
– Regular Security Updates: Ensuring that all systems are promptly updated with the latest security patches.
– Comprehensive Monitoring: Implementing robust monitoring solutions to detect and respond to suspicious activities.
– Employee Training: Educating staff about cybersecurity best practices to prevent initial access through social engineering tactics.
Organizations, especially those in critical sectors, must adopt a proactive security posture to defend against sophisticated state-sponsored cyber threats.
