Sharepoint ToolShell Attacks Strike Global Orgs on 4 Continents

A significant cybersecurity incident involving the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint has impacted organizations worldwide, with security researchers linking the activity to hacking groups operating from China. The flaw specifically targets on-premise SharePoint servers and was initially identified as an actively exploited zero-day on July 20. Microsoft responded by issuing emergency patches just one day later. This security gap effectively bypasses two earlier vulnerabilities, CVE-2025-49706 and CVE-2025-49704, which Viettel Cyber Security had previously demonstrated during the Pwn2Own Berlin event in May. Attackers can leverage it remotely without needing authentication, allowing them to execute arbitrary code and gain unrestricted access to the entire file system.

Microsoft has publicly attributed the exploitation of ToolShell to three distinct Chinese threat actors: Budworm (also known as Linen Typhoon), Sheathminer (Violet Typhoon), and the Storm-2603 group, which is associated with Warlock ransomware. A recent analysis from Symantec, a Broadcom company, reveals that the vulnerability was used to infiltrate a wide array of entities across four continents, including the Middle East, South America, the United States, and Africa. The tactics and malware employed in these campaigns are consistent with those used by the Chinese hacking collective known as Salt Typhoon.

Among the confirmed victims are a telecommunications provider in the Middle East, two separate government departments in an African nation, two government bodies in South America, a university located in the United States, a state-level technology agency in Africa, another Middle Eastern government department, and a financial services firm based in Europe. Symantec’s report provides a detailed timeline of the attack on the Middle Eastern telecom company, which commenced on July 21. The initial intrusion involved exploiting the SharePoint flaw to install webshells, providing the attackers with a persistent foothold inside the network.

Subsequently, the attackers used a technique called DLL side-loading to deploy a backdoor written in Go, identified as Zingdoor. This malicious tool is capable of harvesting system information, performing various file operations, and enabling the remote execution of commands. Another side-loading operation was then used to launch what investigators believe is the ShadowPad Trojan, a sophisticated malware family. Following this, the threat actors deployed KrustyLoader, a tool built using the Rust programming language, which ultimately installed the Sliver open-source post-exploitation framework. Notably, the side-loading procedures abused legitimate executable files from security vendors Trend Micro and BitDefender. In the South American attacks, the hackers used a file that mimicked the Symantec brand name.

After establishing a strong presence, the attackers moved to dump credentials using tools like ProcDump, Minidump, and LsassDumper. They also leveraged the PetitPotam vulnerability (CVE-2021-36942) to further compromise the network domain. The attackers relied heavily on publicly available utilities and living-off-the-land techniques to avoid detection. These tools included Microsoft’s own Certutil, the GoGo Scanner, a scanning engine often used by red teams, and Revsocks, a utility that supports data exfiltration, command-and-control communication, and maintaining persistence on infected systems.

Symantec’s investigation concludes that the exploitation of the ToolShell vulnerability is not limited to the three groups initially identified by Microsoft. Instead, the evidence suggests a broader set of Chinese threat actors are actively using this flaw in their operations, indicating a wider and more coordinated campaign than security officials previously understood.

(Source: Bleeping Computer)