Salt Typhoon hit governments on three continents with SharePoint attacks
Summary
Security researchers from Broadcom-owned Symantec and Carbon Black say China-aligned threat actors, including Salt Typhoon, exploited the critical ToolShell SharePoint vulnerability (CVE-2025-53770) and other server flaws to breach organisations across multiple continents. Victims included government departments, a telecommunications provider, a university and a finance firm. The intruders used a mix of backdoors and loaders — notably Zingdoor, ShadowPad and KrustyLoader — and employed DLL sideloading and other techniques to maintain stealthy, persistent access for espionage and credential theft.
Key Points
- The ToolShell SharePoint zero-day (CVE-2025-53770) was widely exploited before Microsoft patched it, affecting hundreds of organisations.
- Symantec and Carbon Black linked additional intrusions to Salt Typhoon, expanding the list of victims to the Middle East, Africa, South America, Europe and the US.
- Attackers used Zingdoor (a Go-based HTTP backdoor), ShadowPad and KrustyLoader, plus DLL sideloading and file sideload techniques to deliver payloads.
- Some intrusions used other initial-access bugs (SQL servers, Apache/ColdFusion) rather than the SharePoint CVE, showing opportunistic multi-vector activity.
- Researchers observed what looks like mass scanning for the SharePoint flaw, followed by focused activity on networks of interest to steal credentials and establish persistent access.
- Trend Micro and others report growing coordination between China-aligned groups (the “Premier Pass” phenomenon), where one actor breaks in and another performs follow-on activity.
Content Summary
Before Microsoft patched ToolShell, multiple Chinese-linked crews scanned and exploited on-premises SharePoint servers, compromising more than 400 organisations in earlier reporting. New analysis from Symantec and Carbon Black identifies further victims and shows Salt Typhoon-linked tooling used against a Middle East telecom and African government departments shortly after the patch was issued. Other victims (including South American government agencies and a US university) were compromised via different vulnerabilities, illustrating attackers’ flexible tactics.
The campaign blended mass reconnaissance with targeted follow-up: broad scans to find vulnerable hosts, then selective deployment of backdoors and loaders to extract credentials and keep a low profile for long-term espionage. Researchers caution that, while attribution is not absolutely definitive, the indicators point strongly to China-based actors and coordinated activity between multiple groups.
Context and Relevance
This story ties into ongoing trends: state-aligned actors exploiting widely publicised zero-days, increased use of DLL sideloading and commodity backdoors, and collaborative campaigns where one group’s access is reused by others. For CISOs, incident responders and public-sector IT teams, it underlines the need for rapid patching, vigilant scanning for persistence mechanisms, and threat-hunting for signs of lateral movement and credential theft.
Author note (style)
Punchy: This isn’t just another vulnerability story — it’s a reminder that mass scanning plus targeted follow-up is now routine, and the scale of victims makes this a serious espionage event.
Why should I read this?
Look, if you run servers or defend them, this one matters — big time. It’s not just a SharePoint bug: it’s a playbook. Attackers scanned en masse, then swapped toys (backdoors, sideloads, loaders) to sneak in and stick around. Read it so you know what to hunt for and why patching plus credential hygiene still saves lives.