ToolShell Exploit: China-Linked Hackers Target Global Critical Infrastructure
In mid-summer 2025, the ToolShell vulnerability (CVE-2025-53770) became the catalyst for a major wave of compromises. Attackers exploited the flaw on SharePoint servers shortly after Microsoft released its patch, gaining unauthenticated access to files and enabling remote code execution. The first documented case involved the compromise of a telecommunications operator in the Middle East, where threat actors installed a web shell and began deploying payloads as early as July 21, 2025.
Several attacks on critical infrastructure employed sophisticated loader and obfuscation techniques. Through DLL sideloading, the attackers deployed the Zingdoor backdoor—an HTTP trojan written in Go capable of system reconnaissance, file transfer, and remote command execution—alongside the modular RAT ShadowPad, previously observed in campaigns linked to Chinese threat groups. On July 25, they introduced KrustyLoader, a Rust-based loader designed with anti-analysis, self-deletion, and second-stage deployment capabilities, including the Sliver framework, which facilitates secure command-and-control communications.
The operation extended well beyond the Middle East, affecting two government departments in an African nation, institutions in South America, and a U.S. university. In one case, the attackers disguised a malicious executable as mantec.exe, mimicking legitimate components to conceal activity. Additional evidence points to compromises of a state-owned technology entity in Africa and a financial organization in Europe. Living-off-the-land (LotL) techniques were extensively employed, leveraging utilities such as certutil, ProcDump, and LSASS dump tools, while privilege escalation was achieved through exploitation of the PetitPotam mechanism.
Analysis indicates a pattern of mass scanning to identify vulnerable targets, followed by selective exploitation aimed at achieving long-term, covert access for credential theft and espionage. Researchers at Symantec highlighted significant overlaps in tooling and tactics with prior operations, though attribution remains inconclusive—most indicators point toward a China-linked threat actor.
Indicators of compromise (IOCs), including file hashes and network addresses, have been published to aid detection and incident response. Affected organizations are urged to review logs, apply the latest security updates, and audit executable integrity to mitigate ongoing threats.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
