After being published and patched in July 2025, Chinese-linked attackers exploited the ToolShell security vulnerability in Microsoft SharePoint to infiltrate telecommunications companies in the Middle East.
In addition to government agencies in African countries, government agencies in South America and universities in the United States were also targeted, as well as national technology institutions in Africa, government agencies in the Middle East, and financial companies in European countries.
According to Broadcom’s Symantec Threat Hunter Team, this attack included an exploitation of CVE-2025-53770. CVE-2025-53770 is a currently patched security flaw in on-premises SharePoint servers that can be used to bypass authentication and execute remote code.
CVE-2025-53770 is assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, and has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm 2603, the latter in recent months. Warlock, LockBit, and Babuk ransomware families.
However, Symantec’s latest findings indicate that a much wider range of Chinese attackers are exploiting this vulnerability. This includes Salt Typhoon (also known as Glowworm), a hacker group that is said to have exploited flaws in ToolShell to deploy tools such as Zingdoor, ShadowPad, and KrustyLoader against telecommunications operators and two government agencies in Africa.
KrustyLoader, first detailed by Synacktiv in January 2024, is a Rust-based loader previously used by a Chinese-aligned spy group known as UNC5221 in attacks that exploited flaws in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.
Meanwhile, attacks targeting government agencies in South America and universities in the United States leveraged unspecified vulnerabilities to gain initial access, then exploited SQL servers and Apache HTTP servers running Adobe ColdFusion software to deliver malicious payloads using DLL sideloading techniques.
In some incidents, attackers have been observed running exploits of CVE-2021-36942 (also known as PetitPotam) for privilege escalation and domain compromise, as well as a number of readily available living-off-the-land (LotL) tools that facilitate scanning, file downloads, and credential theft on infected systems.
“There are some overlaps between this activity and activity previously attributed to glow worms in the types of victims and some of the tools used,” Symantec said. “However, while there is not enough evidence to conclusively link this activity to any specific group, all evidence points to the people behind this activity being China-based threat actors.”
“The activity conducted on the targeted networks indicates that the attackers were interested in stealing credentials and establishing persistent and stealth access to the victim’s network, likely for espionage purposes.”
Source link
