Full Report
Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology
Analysis Summary
# Threat Actor: China-based Threat Actors (Multiple Groups)
## Attribution & Identity
Attribution is pointed towards China-based threat actors. Several specific Chinese threat groups are mentioned in connection with the exploitation of the ToolShell vulnerability (CVE-2025-53770), including:
* **Linen Typhoon** (aka Budworm)
* **Violet Typhoon** (aka Sheathminer)
* **Storm-2603** (linked generally to broader exploitation, and previously associated with ransomware deployment)
* **Salt Typhoon** (aka Glowworm) – specifically linked to the targeting of the telecom entity and African government bodies.
## Activity Summary
Threat actors tied to China exploited the **ToolShell** security vulnerability (**CVE-2025-53770**) in Microsoft SharePoint weeks after it was patched in July 2025. This activity indicates a broader coordinated exploitation effort involving multiple Chinese APTs using the same initial access vector.
One key incident involved the exploitation of the flaw to breach a **telecommunications company in the Middle East**. Other targeted entities included **government departments in an African country**, **government agencies in South America**, a **university in the U.S.**, likely a **state technology agency in an African country**, a **government department in the Middle East**, and a **finance company in a European country**.
For targets not initially hit via ToolShell, initial access was gained through "unspecified vulnerabilities," followed by exploitation of SQL servers and systems running Adobe ColdFusion on Apache HTTP servers to deliver payloads using DLL side-loading.
## Tactics, Techniques & Procedures
The primary TTP mentioned is the mass exploitation of a critical Microsoft SharePoint vulnerability:
* Exploitation of **CVE-2025-53770** (ToolShell) to bypass authentication and achieve Remote Code Execution (RCE). (CVE-2025-53770 is noted as a patch bypass for CVE-2025-49704 and CVE-2025-49706).
* Deployment of malware such as **Zingdoor**, **ShadowPad**, and **KrustyLoader** (a Rust-based loader).
* Use of **DLL side-loading techniques** to deliver malicious payloads.
* Exploitation of **CVE-2021-36942** (PetitPotam) for privilege escalation and domain compromise.
* Extensive use of **Living-Off-the-Land (LotL)** tools for scanning, file download, and credential theft.
## Targeting
* **Sectors:** Telecommunications, Government, Education (University), and Finance.
* **Geography:** Middle East, Africa, South America, and the U.S. (Europe also mentioned in connection to a finance company).
* **Victims:** A telecommunications company in the Middle East; government departments in an African country; government agencies in South America; a university in the U.S.
## Tools & Infrastructure
* **Malware families used:** Zingdoor, ShadowPad, KrustyLoader (Rust-based loader). Storm-2603 was also linked to Warlock, LockBit, and Babuk ransomware in general recent activity, though not explicitly tied to the ToolShell exploitation mentioned here.
* **Infrastructure (C2, domains, IPs):** None specifically named or defanged in the context of the ToolShell exploitation, but the malware utilized suggests established Chinese C2 infrastructure.
## Implications
The exploitation indicates that multiple sophisticated, state-sponsored Chinese espionage groups are rapidly weaponizing zero-day and patched vulnerabilities immediately following disclosure. The range of targeted sectors (critical infrastructure like Telecom, government, finance, and education) signifies broad strategic intelligence gathering objectives. The goal appears to be the theft of credentials and the establishment of persistent, stealthy access for espionage purposes.
## Mitigations
* Applying patches for **CVE-2025-53770** (ToolShell) immediately, especially since exploitation occurred weeks after the July patch release.
* Implementing detection and response mechanisms for known associated malware (Zingdoor, ShadowPad, KrustyLoader).
* Monitoring for post-exploitation activity related to privilege escalation (e.g., use of **CVE-2021-36942/PetitPotam**).
* Reviewing for unauthorized use of LotL binaries for reconnaissance and data staging.