Chinese Threat Actors Exploit Microsoft SharePoint Vulnerability to Target Global Organizations
Following the public disclosure and patching of the ToolShell security vulnerability in Microsoft SharePoint in July 2025, threat actors with ties to China launched attacks on various organizations worldwide. A telecommunications company in the Middle East, government departments in an African country, government agencies in South America, a university in the U.S., a state technology agency in Africa, a government department in the Middle East, and a finance company in Europe were among the targets.
The attacks exploited CVE-2025-53770, a security flaw in on-premise SharePoint servers that allowed threat actors to bypass authentication and achieve remote code execution, as reported by Broadcom’s Symantec Threat Hunter Team.
Notably, CVE-2025-53770 was weaponized as a zero-day by three Chinese threat groups – Linen Typhoon, Violet Typhoon, and Storm-2603. The latter group has been associated with deploying Warlock, LockBit, and Babuk ransomware families in recent months.
Further investigations by Symantec revealed that a broader range of Chinese threat actors, including the Salt Typhoon hacking group, utilized the ToolShell flaw to carry out attacks using tools like Zingdoor, ShadowPad, and KrustyLoader.
KrustyLoader, a Rust-based loader previously linked to UNC5221, an espionage group operating in China, was among the tools used in the attacks. This loader had previously been used to exploit vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.
Government agencies in South America and a university in the U.S. were targeted using unspecified vulnerabilities for initial access, followed by the exploitation of SQL servers and Apache HTTP servers running Adobe ColdFusion software to deliver malicious payloads via DLL side-loading techniques.
In some instances, attackers leveraged CVE-2021-36942 (PetitPotam) for privilege escalation and domain compromise, along with various readily available tools for scanning, file download, and credential theft on compromised systems.
Symantec emphasized that although there are similarities in the types of victims and tools used, definitive attribution to a specific group is challenging. However, all evidence points to the involvement of China-based threat actors in the attacks.
The motives behind the attacks appear to be centered on stealing credentials and establishing persistent access to victim networks for potential espionage activities.
