Chinese Actors Exploit ToolShell Bug to Breach Global Telecom & Government Networks

Published Date: October 24, 2025

Category: ShadowOpsIntel

A China-nexus intrusion set leveraged the ToolShell zero-day vulnerability to breach multiple organizations across telecom and government sectors. The attackers combined DLL sideloading, living-off-the-land tools, and modular backdoors to maintain persistent access. This campaign demonstrates the speed and scale at which Chinese APTs exploit emerging vulnerabilities for strategic intelligence gathering.

Severity: High

Attack Timeline

July 19, 2025: Microsoft releases patches for ToolShell.
July 21, 2025: Attackers compromise a telecom network using the unpatched vulnerability.
July 25, 2025: KrustyLoader and subsequent payloads deployed.
August 2025: Activity spreads to African and South American government networks.

Vulnerability And Initial Access

ToolShell (CVE-2025-53770): Exploited as a zero-day , this vulnerability affects on-premise SharePoint servers, granting unauthenticated remote code execution and access to all content and file systems. The attack on the telecoms company began on July 21, 2025, just two days after patches were released.
Other Vulnerabilities: In attacks against South American and U.S. victims, the actors used other vulnerabilities for initial access. Exploited SQL servers and Apache HTTP servers running Adobe ColdFusion software to deliver malware.

Threat Actor Involvement

Activity attributed to or overlapping with China-nexus groups: Glowworm (aka Earth Estries, FamousSparrow), UNC5221, Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), Storm-2603.
While attribution remains inconclusive, all indicators point to Chinese state-linked cyber-espionage units.

Malware & Tools Used

Tool / Malware	Description	Purpose
Zingdoor	HTTP backdoor in Go; collects system data, executes commands	Persistence and remote control
ShadowPad	Modular RAT linked to APT41 and Glowworm	Espionage, lateral movement
KrustyLoader	Rust-based loader; anti-sandbox, downloads payloads	Payload delivery (Sliver, others)
Sliver	Legitimate red team C2 abused for control	Command and control
PetitPotam (CVE-2021-36942)	Exploited LSA spoofing vulnerability	Credential theft, privilege escalation
Living-off-the-land tools	Certutil, ProcDump, LsassDumper, Revsocks, Minidump	Recon, credential dumping, persistence

Affected Entities

Telecom sector (Middle East) – primary victim.
Government agencies (Africa, South America) – secondary victims.
University (United States) and finance firm (Europe) – collateral targets.

Recommendations

Immediately apply Microsoft patches for SharePoint vulnerabilities, especially CVE-2025-53770 (ToolShell), CVE-2025-49704, and CVE-2025-53771.
Block or monitor the execution of known LOLBins such as: certutil.exe, procdump.exe, lsassdumper.exe, and PowerSploit scripts like Minidump.ps1.
Configure systems to restrict the ability to load DLLs from untrusted locations, and use application whitelisting to allow only approved executables.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/99181b361ebc176ef8209a2971d52029463c7d3268e784e10540477f19d570ae/iocs

Source:

https://www.security.com/blog-post/toolshell-china-zingdoor

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.