New intelligence reveals China-based threat actors used the critical SharePoint vulnerability ‘ToolShell’ to compromise government networks in Africa and South America, alongside a major Middle Eastern telecoms firm
A sophisticated campaign leveraging a previously unknown Microsoft zero-day vulnerability was deployed by China-based threat actors immediately following its patch release in July 2025, according to new threat intelligence.
The attacks targeted a broad range of high-value entities globally, including a telecoms company in the Middle East and multiple government departments in Africa and South America, suggesting a wide-ranging campaign focused on espionage and persistent access.
The core vulnerability, ToolShell (CVE-2025-53770), affected on-premise Microsoft SharePoint servers. It was exploited in the wild before Microsoft could release a fix, granting attackers unauthenticated access and allowing them to remotely execute code and access all content and file systems on vulnerable servers.
Quick Deployment Of Espionage Tools
The malicious activity against the Middle Eastern telecoms firm began just two days after the ToolShell patch was published, on July 21, 2025.
Attackers swiftly deployed two key malware tools:
Zingdoor: A persistent HTTP backdoor used to collect system information, manage files, and run arbitrary commands. Zingdoor has previously been associated with the Chinese espionage group Glowworm (also known as Earth Estries or FamousSparrow).
ShadowPad: A powerful, modular remote access Trojan (RAT) closely linked to China-based Advanced Persistent Threat (APT) groups, particularly those within the APT41 nexus. Its modular nature allows for continuous updates and sophisticated control over compromised networks.
Initial access was often achieved via DLL sideloading, a stealthy technique where attackers manipulate a legitimate application (like a Trend Micro or BitDefender binary) to execute their malicious code.
Another key tool, KrustyLoader, was deployed later in July. This initial-stage malware, written in Rust, is designed for anti-analysis checks and delivering second-stage payloads. KrustyLoader has been previously linked to a China-nexus group known as UNC5221.
Global Reach & Deception Tactics
The latest analysis confirms the attacks were not isolated, revealing successful compromises against:
Two government agencies in South America.
Two government departments in a single African country.
A major telecoms company in the Middle East.
A university in the US.
In attacks against the South American government victims, the threat actors employed notable deception. They exploited SQL and Apache HTTP servers running Adobe ColdFusion, and then used a binary named “mantec.exe.” This was likely an attempt to mimic a genuine Symantec filename (“symantec.exe”) to hide the malicious sideloading of a BugSplat executable.
Evidence also suggests a state technology agency in a different African country, a government department in the Middle East, and a finance company in a European country were also compromised.
Widespread Exploitation
Microsoft had previously identified at least three Chinese groups exploiting ToolShell, including the espionage groups Budworm (Linen Typhoon) and Sheathminer (Violet Typhoon), as well as Storm-2603, which was using the flaw to distribute Warlock ransomware.
The wide range of victims suggests the attackers may have been conducting mass scanning for the vulnerability before selecting high-value targets for deep infiltration and espionage.
Once inside the network, the attackers relied heavily on “living-off-the-land” tools—using existing Microsoft utilities and publicly available red-team software—to remain stealthy:
Credential Theft: Tools like Procdump, Minidump, and LsassDumper were used to steal credentials, often by dumping the memory of the Local Security Authority Subsystem Service (LSASS).
Lateral Movement: Attackers exploited the Windows LSA Spoofing Vulnerability (PetitPotam) to steal authentication data from Domain Controllers, a common tactic for gaining full domain control.
Scanning and Proxying: The open-source cross-platform adversary emulation framework Sliver was used as a command-and-control framework, along with GoGo Scanner (a Chinese red team scanning engine) and the SOCKS5 proxy server Revsocks.
While analysts do not have sufficient evidence to conclusively attribute the entire campaign to one specific group, all evidence points toward a concerted effort by China-based threat actors interested in stealing credentials and establishing persistent, stealthy access for long-term espionage.
