A newly revealed wave of attacks saw China-based threat actors exploiting the ToolShell vulnerability (CVE-2025-53770) in on-premises Microsoft SharePoint Server shortly after it was patched in July 2025. This vulnerability, a deserialization of untrusted data with a critical CVSS score of 9.8, allows an unauthorized attacker to execute remote code. Initial warnings from Microsoft in July confirmed its active exploitation by groups like Budworm, Violet Typhoon, and Storm-2603, with the latter reportedly deploying Warlock ransomware.
The most prominent victim was a telecommunications company in the Middle East, where malicious activity began just two days after the ToolShell patch. The attackers, who are linked to groups like Glowworm (also known as Earth Estries) and UNC5221, deployed complex techniques, including the use of a webshell and DLL sideloading via legitimate Trend Micro and BitDefender binaries to install backdoors. These included the data-collecting Zingdoor and the plug-in-supporting ShadowPad backdoor, which has been associated with ransomware campaigns.
Beyond the telecom firm, the campaign cast a wide net, compromising targets across the globe. Victims included two African government departments, two South American agencies, a U.S. university, an African state technology agency, a Middle Eastern ministry, and a European finance firm. This large-scale compromise suggests the attackers were likely conducting mass scanning for the vulnerability before initiating targeted intrusions on networks of specific interest, also targeting SQL and Apache ColdFusion servers in their efforts.
The attackers showed high sophistication, frequently employing publicly available and living-off-the-land tools to evade detection and conduct internal network operations. They used Certutil for file transfers, GoGo Scanner for network mapping, and Revsocks for setting up proxies. Crucially, they focused on credential theft, utilizing Sysinternals’ Procdump, PowerSploit’s Minidump, and LsassDumper to extract LSASS process memory. They also executed an exploit for the PetitPotam vulnerability (CVE-2021-36942) for lateral movement and privilege escalation to steal credentials from Windows Servers, such as Domain Controllers.
Ultimately, the attacks reveal that a wider array of China-based threat actors than previously known was exploiting ToolShell. Despite some overlaps with the activities of the Glowworm group, conclusive attribution to a single entity remains uncertain. The nature of the campaign—focused on long-term, covert access and credential theft across numerous, high-value global targets—strongly indicates a persistent, espionage-driven operation.
Reference:
