ToolShell bug used by Chinese attackers against governments in Africa, South America

Steven

ToolShell bug used by Chinese attackers against governments in Africa, South America

Summary

Incident responders from Symantec and the Carbon Black Threat Hunter Team have linked multiple breaches at government agencies, telecoms and a university to the ToolShell SharePoint vulnerability (CVE-2025-53770), first disclosed in July. The teams saw compromises across regions — including Africa, South America, the Middle East and a U.S. university — and found evidence pointing to China-based threat actors performing mass scanning and selective follow-up intrusions.

Once inside, attackers deployed a toolbox long associated with Chinese groups: backdoors and loaders such as Zingdoor, ShadowPad and KrustyLoader, alongside legitimate utilities (Sliver, Certutil, GoGo scanner) to steal credentials and establish persistent, stealthy access. Microsoft previously attributed exploitation to state-backed groups Linen Typhoon and Violet Typhoon; researchers also examined a separate actor deploying Warlock ransomware, which may be linked to older ransomware families and long-running activity dating back to 2019–2022.

Key Points

  • The root cause: ToolShell vulnerability in on-premises SharePoint (CVE-2025-53770) exploited since July.
  • Victims include multiple government departments, a telecom in the Middle East, organisations in Africa and South America, and a U.S. university.
  • Malware observed: Zingdoor, ShadowPad, KrustyLoader, plus legitimate post-exploitation tools — indicating espionage-focused activity.
  • Attackers likely performed mass scanning for the vulnerability, then targeted networks of interest for credential theft and persistent access.
  • Microsoft confirmed involvement of two Chinese state-backed groups; a third actor using Warlock ransomware also exploited SharePoint flaws.
  • Warlock ransomware shows ties to earlier ransomware families and long-running operator activity, suggesting both espionage and monetisation motives.
  • U.S. agencies and many governments were previously reported affected; the campaign is broad and impacts organisations running on-prem SharePoint.

Context and relevance

This is a continuation of a high-impact campaign that exposed a widely used enterprise product (on-prem SharePoint). For organisations running SharePoint internally, the incident underlines the risk of unpatched infrastructure being rapidly weaponised by advanced actors. The mix of espionage tooling and ransomware-like activity highlights a blurred line between state-directed intelligence collection and criminal monetisation or misdirection.

Why should I read this?

Short version: if you run SharePoint, work in government, telecoms or security, this matters — badly. It shows adversaries scanning en masse, picking juicy targets, and using tried-and-tested backdoors to stay hidden. Read it so you know what to check (patching, logs, credential theft indicators) and how serious the fallout can be.

Source

Source: https://therecord.media/sharepoint-toolshell-bug-breaches-governments-africa-south-america