Chinese-linked threat actors have quickly exploited the ToolShell security vulnerability in Microsoft SharePoint, targeting multiple organizations across the globe shortly after Microsoft patched the flaw in July 2025. This series of attacks highlights the speed and sophistication of threat actors in leveraging newly disclosed vulnerabilities for espionage and cybercrime.
The initial breach affected a telecommunications company in the Middle East, followed by attacks on government departments in Africa, South America, a U.S. university, and other organizations, including a European finance company and additional government entities in the Middle East and Africa.
According to Broadcom’s Symantec Threat Hunter Team, the exploited flaw, CVE-2025-53770, allowed attackers to bypass authentication and execute remote code on on-premise SharePoint servers. This vulnerability, assessed as a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by several Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter connected to ransomware campaigns using Warlock, LockBit, and Babuk families.
Recent findings reveal a broader range of Chinese threat actors abusing this vulnerability, such as the Salt Typhoon (aka Glowworm) group. They reportedly used the ToolShell flaw to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and African government agencies.
KrustyLoader, first reported by Synacktiv in January 2024, is a Rust-based loader previously utilized by the China-linked espionage group UNC5221 in attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver vulnerabilities.
For South American government agencies and a U.S. university, attackers exploited other unspecified vulnerabilities to gain initial access. They then leveraged SQL servers and Apache HTTP servers running Adobe ColdFusion to deliver malicious payloads via DLL side-loading. In some cases, the CVE-2021-36942 (PetitPotam) exploit was used for privilege escalation and domain compromise, along with living-off-the-land tools to scan, download files, and steal credentials.
Symantec noted overlaps between these incidents and prior Glowworm activity but stated that conclusive attribution remains uncertain. However, evidence strongly indicates that all attacks originated from China-based threat actors, with the primary objectives being credential theft and establishing persistent access for espionage.
