In a series of sophisticated cyberattacks, Chinese state-sponsored hacking groups have been exploiting a critical vulnerability in Microsoft SharePoint servers, known as ToolShell, to infiltrate government agencies and critical infrastructure worldwide. This vulnerability, designated as CVE-2025-53770, allows unauthenticated remote code execution, posing a significant threat to organizations that have not applied the necessary security patches.
Understanding the ToolShell Vulnerability
The ToolShell vulnerability arises from the deserialization of untrusted data within on-premises SharePoint servers. This flaw enables attackers to execute arbitrary code without requiring authentication. It builds upon earlier vulnerabilities, such as CVE-2025-49704 and CVE-2025-49706, which were initially demonstrated at the Pwn2Own Berlin event in May 2025.
The typical exploitation chain involves an authentication bypass (CVE-2025-53771), where attackers send a crafted POST request to the ToolPane.aspx endpoint. This request deceives the server into granting access, allowing the injection of malicious payloads that facilitate code execution.
Scope and Impact of the Attacks
Security researchers from Symantec have reported that these attacks commenced shortly after Microsoft released patches in July 2025. The campaign has affected organizations across multiple continents, including:
– A telecommunications firm in the Middle East
– Two government departments in Africa
– Various agencies in South America
– A university in the United States
– A state technology entity in Africa
– A government department in the Middle East
– A financial company in Europe
The initial access in the Middle East was achieved on July 21, 2025, through the deployment of a web shell. This was followed by DLL sideloading of malware using legitimate binaries from security software providers like Trend Micro and BitDefender.
In South American incidents, attackers exploited SQL and Apache HTTP servers running Adobe ColdFusion. They utilized a renamed executable, mantec.exe, to mimic Symantec tools and sideload malicious DLLs.
Evidence suggests that the attackers conducted mass scanning for vulnerable servers, selectively targeting high-value organizations for credential theft and lateral movement within networks.
Malware and Tools Employed
The attackers have deployed several sophisticated tools and malware strains, including:
– Zingdoor: A Go-based HTTP backdoor linked to the Glowworm group (also known as Earth Estries or FamousSparrow), first documented in 2023 for espionage activities against government and technology sectors.
– ShadowPad: A modular Remote Access Trojan (RAT) associated with APT41-nexus groups like Blackfly. It was used via DLL sideloading for command execution and updates.
– KrustyLoader: A loader written in Rust, tied to UNC5221 (a China-nexus actor), which delivered second-stage payloads like Sliver, an open-source command-and-control framework often abused for red-team emulation.
Additionally, the attackers utilized various living-off-the-land tools to maintain persistence and evade detection:
– Certutil: Used for downloading additional payloads.
– Procdump and LsassDumper: Employed for credential dumping.
– GoGo Scanner: Utilized for reconnaissance activities.
– Revsocks: Used for proxying network traffic.
– PetitPotam exploit (CVE-2021-36942): Exploited for privilege escalation within compromised networks.
Indicators of Compromise (IoCs)
The following IoCs have been identified in relation to the ToolShell exploitation:
– SHA256 Hashes:
– 6240e39475f04bfe55ab7cba8746bd08901d7678b1c7742334d56f2bc8620a35 (LsassDumper)
– 929e3fdd3068057632b52ecdfd575ab389390c852b2f4e65dc32f20c87521600 (KrustyLoader)
– db15923c814a4b00ddb79f9c72f8546a44302ac2c66c7cc89a144cb2c2bb40fa (Likely ShadowPad)
– e6c216cec379f418179a3f6a79df54dcf6e6e269a3ce3479fd7e6d4a15ac066e (ShadowPad Loader)
– 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 (Zingdoor)
– 1f94ea00be79b1e4e8e0b7bbf2212f2373da1e13f92b4ca2e9e0ffc5f93e452b (PetitPotam/CVE-2021-36942 exploit)
– dbdc1beeb5c72d7b505a9a6c31263fc900ea3330a59f08e574fd172f3596c1b8 (RevSocks)
– 6aecf805f72c9f35dadda98177f11ca6a36e8e7e4348d72eaf1a80a899aa6566 (LsassDumper)
– 568561d224ef29e5051233ab12d568242e95d911b08ce7f2c9bf2604255611a9 (Socks Proxy)
– 28a859046a43fc8a7a7453075130dd649eb2d1dd0ebf0abae5d575438a25ece9 (GoGo Scanner)
– 7be8e37bc61005599e4e6817eb2a3a4a5519fded76cb8bf11d7296787c754d40 (Sliver)
– 5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61 (ProcDump)
– e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc (ProcDump)
– 7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1 (Minidump)
– 7acf21677322ef2aa835b5836d3e4b8a6b78ae10aa29d6640885e933f83a4b01 (mantec.exe – Benign executable)
– 6c48a510642a1ba516dbc5effe3671524566b146e04d99ab7f4832f66b3f95aa (bugsplatrc.dll)
– URLs:
– http://kia-almotores.s3.amazonaws[.]com/sy1cyjt (KrustyLoader C&C server)
– http://omnileadzdev.s3.amazonaws[.]com/PBfbN58lX (KrustyLoader C&C server)
Recommendations for Organizations
Given the widespread exploitation of the ToolShell vulnerability, it is imperative for organizations to take the following actions:
1. Immediate Patching: Apply Microsoft’s July 2025 security updates to all on-premises SharePoint servers to mitigate the vulnerability.
2. Network Monitoring: Implement continuous monitoring for unusual activities, such as unexpected POST requests to the ToolPane.aspx endpoint or the presence of unfamiliar web shells.
3. Access Controls: Review and strengthen access controls to limit the potential impact of unauthorized access.
4. Incident Response Planning: Develop and regularly update incident response plans to address potential breaches promptly.
5. User Education: Conduct regular training sessions to educate employees about phishing attacks and other common vectors used by threat actors.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can significantly reduce the risk of compromise by sophisticated threat actors.
