"Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country."
"CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families in recent months. However, the latest findings from Symantec indicate that a much wider range of Chinese threat actors have abused the vulnerability."
"This includes the Salt Typhoon (aka Glowworm) hacking group, which is said to have leveraged the ToolShell flaw to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and the two government bodies in Africa. KrustyLoader, first detailed by Synacktiv in January 2024, is a Rust-based loader previously put to use by a China-nexus espionage group dubbed UNC5221 in attacks exploiting flaws in Ivanti Endpoint Manager Mobile ( EPMM) and SAP NetWeaver."
Threat actors tied to China exploited the ToolShell vulnerability in on-premise Microsoft SharePoint (CVE-2025-53770) after its July 2025 disclosure and patch to breach a Middle East telecommunications company and other international targets. CVE-2025-53770 functions as a patch bypass for CVE-2025-49704 and CVE-2025-49706, enabling authentication bypass and remote code execution on vulnerable SharePoint servers. Three Chinese groups — Linen Typhoon, Violet Typhoon, and Storm-2603 — weaponized the flaw, while additional China-linked actors including Salt Typhoon used it to deploy implants such as Zingdoor, ShadowPad, and KrustyLoader. KrustyLoader is a Rust-based loader previously used by UNC5221 against Ivanti EPMM and SAP NetWeaver. Other intrusions targeted South American government agencies and a U.S. university via unspecified initial-access flaws and subsequent SQL and Apache HTTP server exploitation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]