A China-linked threat actor (associated with groups like Glowworm/UNC5221) exploited the patched ToolShell SharePoint vulnerability (CVE-2025-53770, CVSS 9.8) to breach a Middle Eastern telecom firm just two days after Microsoft’s July 2025 patch. Attackers deployed a webshell, used DLL sideloading (via Trend Micro and BitDefender binaries) to install backdoors (Zingdoor, ShadowPad), and dropped the Rust-based KrustyLoader for second-stage payloads. They also leveraged PetitPotam (CVE-2021-36942) for lateral movement, stole credentials via LSASS memory dumps, and exfiltrated data. The campaign, likely espionage-driven, targeted long-term covert access, with tools like GoGo Scanner, Revsocks, and Procdump for persistence. While no explicit data leak or ransomware was confirmed, the breach compromised internal systems, credentials, and potentially sensitive corporate/operational data, posing risks to the telecom’s infrastructure and customer trust. The attack aligns with broader targeting of government and critical sectors by China-based actors.
TPRM report: https://www.rankiteo.com/company/mada-communications-int'l
"id": "mad4133341102425",
"linkid": "mada-communications-int'l",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Middle East',
'name': 'Unnamed Middle Eastern Telecom Company',
'type': 'Telecommunications'},
{'industry': 'Government',
'location': 'Africa',
'type': 'Government Department'},
{'industry': 'Government',
'location': 'Africa',
'type': 'Government Department'},
{'industry': 'Government',
'location': 'South America',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'South America',
'type': 'Government Agency'},
{'industry': 'Education',
'location': 'United States',
'type': 'University'},
{'industry': 'Government/Technology',
'location': 'Africa',
'type': 'State Technology Agency'},
{'industry': 'Government',
'location': 'Middle East',
'type': 'Government Ministry'},
{'industry': 'Financial Services',
'location': 'Europe',
'type': 'Finance Company'}],
'attack_vector': ['Exploitation of Public-Facing Application (CVE-2025-53770)',
'Webshell Deployment',
'DLL Sideloading',
'Living-off-the-Land Tools',
'LSASS Memory Dumping'],
'data_breach': {'data_exfiltration': ['Likely (Given Espionage Motive)'],
'personally_identifiable_information': ['Potential (via '
'Credential Theft)'],
'sensitivity_of_data': ['High (Espionage-Targeted)'],
'type_of_data_compromised': ['Credentials',
'Authentication Information',
'Potentially Sensitive '
'Government/Enterprise Data']},
'date_detected': '2025-07-21',
'date_publicly_disclosed': '2025-10-24',
'description': 'China-based threat actors exploited the ToolShell SharePoint '
'flaw (CVE-2025-53770) to breach a telecommunications company '
'in the Middle East shortly after the vulnerability was '
'patched in July 2025. The attackers, linked to groups like '
'Glowworm (Earth Estries) and UNC5221, used tools such as '
'Zingdoor, KrustyLoader, and ShadowPad backdoor. The campaign '
'targeted multiple entities globally, including government '
'agencies, a U.S. university, and a European finance firm. The '
'attack involved credential theft, lateral movement, and '
'likely espionage-driven motives.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage Due to '
'Espionage-Linked Breach'],
'data_compromised': ['Credentials',
'Authentication Information',
'Potential Sensitive Data (Espionage)'],
'identity_theft_risk': ['High (Credential Theft)'],
'operational_impact': ['Unauthorized Remote Code Execution',
'Backdoor Deployment',
'Lateral Movement',
'Privilege Escalation'],
'systems_affected': ['On-Premises Microsoft SharePoint Servers',
'SQL Servers',
'Apache ColdFusion Servers',
'Domain Controllers (via PetitPotam)',
'LSASS Process Memory']},
'initial_access_broker': {'backdoors_established': ['ShadowPad',
'Zingdoor',
'KrustyLoader'],
'entry_point': ['Exploited SharePoint Server '
'(CVE-2025-53770)'],
'high_value_targets': ['Government Agencies',
'Telecom Infrastructure',
'Financial Firms',
'Educational Institutions'],
'reconnaissance_period': ['Likely Short '
'(Exploitation Began 2 '
'Days Post-Patch)']},
'investigation_status': 'Ongoing (Attribution Uncertain; Evidence Points to '
'China-Linked Actors)',
'lessons_learned': ['Rapid exploitation of newly patched vulnerabilities by '
'state-linked actors underscores the need for immediate '
'patching.',
'Mass scanning for vulnerable systems followed by '
'targeted intrusions highlights the importance of '
'proactive vulnerability management.',
'Use of living-off-the-land tools and legitimate binaries '
'(e.g., Trend Micro, BitDefender) for sideloading malware '
'complicates detection.',
'Espionage-driven campaigns prioritize long-term covert '
'access, requiring advanced threat hunting and behavioral '
'analysis.'],
'motivation': ['Espionage', 'Credential Theft', 'Long-term Covert Access'],
'post_incident_analysis': {'corrective_actions': ['Mandate emergency patching '
'for critical CVEs within '
'48 hours of disclosure.',
'Deploy endpoint detection '
'and response (EDR) '
'solutions to detect '
'sideloading and webshell '
'activities.',
'Conduct red team exercises '
'simulating APT tactics '
'like PetitPotam and '
'ShadowPad.',
'Enhance logging and '
'monitoring for unusual '
'process executions (e.g., '
'Certutil, Procdump).',
'Implement zero-trust '
'architecture principles to '
'limit post-compromise '
'movement.'],
'root_causes': ['Delayed or Incomplete Patching of '
'Critical Vulnerability '
'(CVE-2025-53770)',
'Lack of Detection for Webshell '
'Deployment and DLL Sideloading',
'Insufficient Monitoring for '
'Living-off-the-Land Tool Abuse',
'Potential Gaps in Network '
'Segmentation Allowing Lateral '
'Movement']},
'ransomware': {'ransomware_strain': ['Warlock (Deployed by Storm-2603 in '
'Related Attacks)']},
'recommendations': ['Accelerate patching timelines for critical '
'vulnerabilities, especially those with public exploits.',
'Monitor for unusual DLL sideloading activities, '
'particularly involving security software binaries.',
'Implement network segmentation to limit lateral movement '
'post-compromise.',
'Enhance credential protection mechanisms (e.g., LSASS '
'isolation, privileged access management).',
'Deploy behavioral-based detection for tools like '
'Certutil, Procdump, and Revsocks used in '
'post-exploitation.',
'Conduct regular threat hunting for webshells and '
'backdoors like ShadowPad or KrustyLoader.'],
'references': [{'date_accessed': '2025-10-24',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/153704/apt/china-hackers-exploit-toolshell-flaw.html'},
{'source': 'Broadcom Symantec Threat Hunter Team Report'}],
'response': {'remediation_measures': ['Patch Application (CVE-2025-53770)',
'Potential Backdoor Removal'],
'third_party_assistance': ['Broadcom’s Symantec Threat Hunter '
'Team (Investigation)']},
'threat_actor': ['Glowworm (Earth Estries)',
'UNC5221',
'Budworm',
'Violet Typhoon (Sheathminer)',
'Storm-2603'],
'title': 'China-linked hackers exploit patched ToolShell flaw to breach '
'Middle East telecom',
'type': ['Cyber Espionage',
'Unauthorized Access',
'Data Breach',
'Credential Theft'],
'vulnerability_exploited': ['CVE-2025-53770 (ToolShell SharePoint Flaw)',
'CVE-2021-36942 (PetitPotam - Windows LSA '
'Spoofing)']}