Threat actors linked to China exploited the **ToolShell vulnerability (CVE-2025-53770)** in Microsoft SharePoint to breach a Middle Eastern telecommunications company shortly after its public disclosure in July 2025. The attack involved bypassing authentication and achieving **remote code execution (RCE)** on on-premise SharePoint servers, enabling persistent and stealthy access for **credential theft and espionage**. The **Salt Typhoon (Glowworm)** group deployed malicious tools like **Zingdoor, ShadowPad, and KrustyLoader**, a Rust-based loader previously tied to China-nexus espionage campaigns. The attackers aimed to **exfiltrate sensitive data**, establish long-term access, and likely gather intelligence for geopolitical or economic advantage. While no explicit data leak was confirmed, the compromise of a **telecom provider**—a critical infrastructure sector—poses risks to **national security, customer privacy, and regional stability**. The attack aligns with broader campaigns targeting **government agencies, universities, and financial institutions** globally, suggesting a coordinated effort by multiple Chinese state-sponsored groups. The use of **living-off-the-land (LotL) techniques** and privilege escalation exploits (e.g., **CVE-2021-36942/PetitPotam**) further obscured detection, increasing the potential for **unauthorized lateral movement** across networks.
Source: https://thehackernews.com/2025/10/chinese-threat-actors-exploit-toolshell.html
TPRM report: https://www.rankiteo.com/company/zain
"id": "zai2703327102325",
"linkid": "zain",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Middle East',
'name': 'Unnamed Telecommunications Company',
'type': 'Private'},
{'industry': 'Public Sector',
'location': 'Africa',
'name': 'Government Departments (Multiple)',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'South America',
'name': 'Government Agencies',
'type': 'Government'},
{'industry': 'Higher Education',
'location': 'United States',
'name': 'Unnamed University',
'type': 'Educational'},
{'industry': 'Technology',
'location': 'Africa',
'name': 'State Technology Agency',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'Middle East',
'name': 'Government Department',
'type': 'Government'},
{'industry': 'Financial Services',
'location': 'Europe',
'name': 'Finance Company',
'type': 'Private'}],
'attack_vector': ['Exploitation of Public-Facing Application (CVE-2025-53770)',
'DLL Side-Loading',
'Privilege Escalation (CVE-2021-36942)',
'Living-off-the-Land (LotL) Tools'],
'data_breach': {'data_exfiltration': 'Likely (for espionage purposes)',
'sensitivity_of_data': 'High (government, telecom, financial '
'sectors targeted)',
'type_of_data_compromised': ['Credentials',
'Potentially '
'Government/Telecom/Financial '
'Data']},
'date_publicly_disclosed': '2025-07',
'description': 'Threat actors with ties to China exploited the ToolShell '
'security vulnerability (CVE-2025-53770) in Microsoft '
'SharePoint to breach multiple entities globally, including a '
'telecommunications company in the Middle East, government '
'departments in Africa and South America, a U.S. university, a '
'state technology agency in Africa, a government department in '
'the Middle East, and a finance company in Europe. The attacks '
'involved bypassing authentication to achieve remote code '
'execution, deploying malware (e.g., Zingdoor, ShadowPad, '
'KrustyLoader), and leveraging living-off-the-land (LotL) '
'tools for credential theft and persistence. The activity is '
'attributed to multiple China-nexus groups, including Linen '
'Typhoon, Violet Typhoon, Storm-2603, and Salt Typhoon, with '
'motives likely tied to espionage.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities (e.g., telecom '
'company, government agencies)',
'data_compromised': ['Credentials',
'Potentially Sensitive '
'Government/Telecom/Financial Data'],
'identity_theft_risk': 'High (due to credential theft)',
'systems_affected': ['Microsoft SharePoint Servers (On-Premise)',
'SQL Servers',
'Apache HTTP Servers with Adobe ColdFusion',
'Domain Controllers (via CVE-2021-36942)']},
'initial_access_broker': {'backdoors_established': ['ShadowPad',
'KrustyLoader',
'Zingdoor'],
'entry_point': ['Exploited Microsoft SharePoint '
'(CVE-2025-53770)',
'SQL Servers',
'Adobe ColdFusion Vulnerabilities'],
'high_value_targets': ['Telecommunications '
'Infrastructure',
'Government Networks',
'Financial Data']},
'investigation_status': 'Ongoing (attribution to specific groups remains '
'inconclusive; evidence points to China-based actors)',
'lessons_learned': '1. Patch management is critical, especially for publicly '
'disclosed vulnerabilities like CVE-2025-53770, which was '
'exploited even after patches were available.\n'
'2. China-nexus threat actors continue to target '
'high-value sectors (telecom, government, finance) for '
'espionage, leveraging both zero-days and known '
'vulnerabilities.\n'
'3. Defense-in-depth strategies (e.g., monitoring for LotL '
'tools, privilege escalation attempts) are essential to '
'detect post-exploitation activity.',
'motivation': ['Espionage', 'Credential Theft', 'Persistent Access'],
'post_incident_analysis': {'corrective_actions': '1. Accelerate vulnerability '
'management processes for '
'high-severity flaws.\n'
'2. Deploy behavioral '
'detection for malware '
'loaders (e.g., '
'KrustyLoader) and espionage '
'tools (e.g., ShadowPad).\n'
'3. Isolate and segment '
'high-value systems (e.g., '
'government/telecom '
'networks) to limit lateral '
'movement.\n'
'4. Conduct red team '
'exercises to test defenses '
'against similar attack '
'chains.',
'root_causes': '1. Delayed or incomplete patching '
'of critical vulnerabilities '
'(CVE-2025-53770).\n'
'2. Insufficient monitoring for '
'post-exploitation activity (e.g., '
'LotL tools, privilege '
'escalation).\n'
'3. Overlap in tools/TTPs with '
'previously attributed China-linked '
'groups (e.g., Glowworm) suggests '
'targeted espionage campaigns.'},
'ransomware': {'ransomware_strain': ['Warlock',
'LockBit',
'Babuk (deployed by Storm-2603 in '
'unrelated recent attacks)']},
'recommendations': '1. Immediate patching of Microsoft SharePoint servers for '
'CVE-2025-53770 and related flaws (CVE-2025-49704, '
'CVE-2025-49706).\n'
'2. Audit and harden SQL servers and Adobe ColdFusion '
'instances to prevent exploitation via side-loading or '
'other techniques.\n'
'3. Monitor for indicators of compromise (IoCs) tied to '
'KrustyLoader, ShadowPad, Zingdoor, and other tools used '
'in these attacks.\n'
'4. Implement multi-factor authentication (MFA) and '
'least-privilege access controls to mitigate credential '
'theft risks.\n'
'5. Enhance logging and detection for privilege escalation '
'attempts (e.g., PetitPotam exploitation).\n'
'6. Conduct threat hunting for signs of persistent access '
'or backdoors established by China-linked groups.',
'references': [{'source': "Broadcom's Symantec Threat Hunter Team"},
{'date_accessed': '2024-01',
'source': 'Synacktiv (KrustyLoader analysis)'}],
'response': {'remediation_measures': ['Patching CVE-2025-53770 (if not '
'already applied)'],
'third_party_assistance': ["Broadcom's Symantec Threat Hunter "
'Team (investigation)']},
'threat_actor': ['Linen Typhoon (Budworm)',
'Violet Typhoon (Sheathminer)',
'Storm-2603',
'Salt Typhoon (Glowworm)',
'UNC5221 (suspected overlap)'],
'title': 'Exploitation of CVE-2025-53770 (ToolShell) in Microsoft SharePoint '
'by China-Linked Threat Actors',
'type': ['Cyber Espionage',
'Unauthorized Access',
'Data Breach',
'Malware Deployment'],
'vulnerability_exploited': ['CVE-2025-53770 (ToolShell, patch bypass for '
'CVE-2025-49704/CVE-2025-49706)',
'CVE-2021-36942 (PetitPotam)',
'Unspecified SQL Server Vulnerabilities',
'Unspecified Adobe ColdFusion Vulnerabilities']}