Full Report
China-based threat actors also compromised networks of government agencies in countries in Africa and South America.
Analysis Summary
# Threat Actor: Unspecified China-based Group (Associated with Glowworm/UNC5221)
## Attribution & Identity
The activity is attributed to **China-based threat actors**. The malware **Zingdoor** has historically been associated with the Chinese group **Glowworm** (also known as Earth Estries, FamousSparrow). Another tool used, **KrustyLoader**, has been linked to activity by **UNC5221**, which is described as a China-nexus group. Microsoft also noted that at least three Chinese groups exploited the initial vulnerability, including Budworm (Linen Typhoon) and Sheathminer (Violet Typhoon).
## Activity Summary
The actors exploited the **ToolShell vulnerability (CVE-2025-53770)** in unpatched on-premise SharePoint servers shortly after it was disclosed and patched in July 2025.
Observed campaigns include:
* Compromising a **telecoms company in the Middle East** starting July 21, 2025, two days after the patch release.
* Compromising **two government departments in an African country** concurrently.
* Gaining access to the networks of **two government agencies in South America**.
* Gaining access to a **university in the U.S.**
* Compromising a **state technology agency in an African country**, a **government department in the Middle East**, and a **finance company in a European country**.
The primary objectives appear to be stealing credentials and establishing persistent, stealthy access for espionage purposes.
## Tactics, Techniques & Procedures
- Initial access via exploitation of **ToolShell (CVE-2025-53770)** on SharePoint servers, allowing unauthenticated RCE.
- Exploitation of **SQL servers and Adobe ColdFusion** running on Apache HTTP servers for initial access in some campaigns.
- Use of **path traversal bugs (CVE-2025-53771)** by authorized attackers for spoofing.
- **Sideloading** malware using legitimate binaries:
- Sideloading **Zingdoor** using a legitimate Trend Micro binary.
- Sideloading the **ShadowPad Loader** using a legitimate BitDefender binary (SHA256: 3fc4f3ffce6188d3ef676f9825cdfa297903f6ca7f76603f12179b2e4be90134).
- Use of the filename **“mantec.exe”** (a legitimate BugSplat executable) combined with a malicious DLL to hide activity, possibly mimicking a Symantec filename.
- Exploiting **PetitPotam/CVE-2021-36942**.
**Specific Tools/Malware Mentioned:**
- ToolShell (Initial Access, CVE-2025-53770)
- Zingdoor (HTTP backdoor)
- KrustyLoader
- ShadowPad Trojan (Modular RAT)
- LsassDumper
- RevSocks
- GoGo Scanner
- Sliver
- ProcDump
## Targeting
- **Sectors:** Telecommunications, Government (departments/agencies), Technology (state agency), Finance, Education (University).
- **Geography:** Middle East, Africa, South America, United States, Europe.
- **Victims:** A telecoms company (Middle East), two government departments (Africa), two government agencies (South America), a university (U.S.), a state technology agency (Africa), a government department (Middle East), a finance company (Europe).
## Tools & Infrastructure
- **Malware families used:** Zingdoor, KrustyLoader, ShadowPad Trojan, LsassDumper, RevSocks, GoGo Scanner, Sliver, PetitPotam exploit.
- **Infrastructure (C2):**
-hxxp://kia-almotores.s3.amazonaws[.]com/sy1cyjt
-hxxp://omnileadzdev.s3.amazonaws[.]com/PBfbN58lX
## Implications
The actors demonstrated high speed and intent, immediately exploiting the ToolShell zero-day days after patches were released. The adoption of sophisticated, modular malware like Zingdoor and ShadowPad, combined with techniques like dual-use binary sideloading (Trend Micro, BitDefender used as loaders), indicates a well-resourced, likely state-sponsored group focused on deep espionage across critical sectors globally.
## Mitigations
- Immediately patch all on-premise SharePoint servers for **CVE-2025-53770 (ToolShell)** and related vulnerabilities (CVE-2025-49704, CVE-2025-53771, CVE-2025-49706).
- Implement network monitoring to detect the deployment of known backdoors like Zingdoor and ShadowPad.
- Review systems for the deployment of known secondary exploitation tools, including LsassDumper.
- Harden systems against living-off-the-land techniques, specifically monitoring for unexpected processes sideloading DLLs from legitimate application directories (e.g., Trend Micro, BitDefender binaries).
- Implement strict monitoring for exploitation attempts against SQL servers and Adobe ColdFusion installations.