A zero-day that Microsoft patched in July remained active long after the fix. China-based attackers weaponized the SharePoint “ToolShell” flaw (CVE-2025-53770) to break into a Middle Eastern telecom and a string of government networks across Africa and South America, researchers at Symantec and Carbon Black say.
Two days after Microsoft published emergency patches, intruders had a foothold. On 21 July, the adversaries dropped a webshell and moved fast to sideload backdoors and trojans, turning trusted binaries into door openers. That rapid follow-on shows how quickly exploit code can be weaponized once a vulnerability is public.
Well-known Tools and Techniques
Across victims the attackers recycled several well-known tools and techniques. The Zingdoor HTTP backdoor (previously linked to the Glowworm cluster) appeared on compromised networks, delivered via DLL sideloading through legitimate vendor executables. ShadowPad, a modular RAT often seen in China-nexus campaigns, also surfaced after a BitDefender binary was abused as a loader.
On 25 July, the intruders introduced KrustyLoader, a Rust-written initial loader that performs anti-analysis checks and fetches second-stage payloads. KrustyLoader has been tied to UNC5221-style activity before, and in earlier incidents, it was used to pull down the Sliver post-exploitation framework, another tool seen in these intrusions.
In South America the investigators flagged a cunning attempt to hide in plain sight. The malefactors used a binary named “mantec.exe” (visually close to symantec.exe) to sideload a malicious DLL. That executable was actually a legitimate BugSplat build used for crash reporting; the adversaries abused it to execute their payloads.
Tactics, Techniques, and the Goal
The campaign mixed mass scanning with targeted follow-up. Sensors suggest broad probing for vulnerable SharePoint servers, then selective escalation where the victims were of interest. Once inside, the bad actor set about credential theft and persistence: dumping LSASS, abusing PetitPotam-style LSA spoofing to grab authentication material, and installing stealthy backdoors for long-term access. The pattern fits espionage-style objectives.
ToolShell’s Role
ToolShell is not a small threat. It allows unauthenticated remote code execution against on-premises SharePoint servers and was notable for being a patch bypass and variant of earlier SharePoint flaws patched in July. Microsoft and US agencies quickly treated the vulnerability as actively exploited and dangerous, and yet threat actors still exploited it in the wild within days. That mismatch between patch availability and attacker speed remains a core problem for defenders.
Attribution and Scope
Symantec and Carbon Black stop short of pinning every infection to a single named unit. There is overlap with tooling previously attributed to groups such as Glowworm, and other indicators point to China-based actors more broadly.
Microsoft had earlier identified at least three China-linked groups exploiting related SharePoint chains, including actors tracked as Linen Typhoon and Violet Typhoon. Taken together, the weight of evidence points to China-nexus espionage activity, but investigators caution that some connections remain circumstantial.
What Defenders Should Do
The immediate checklist is unchanged but urgent: apply Microsoft’s July SharePoint updates if you haven’t, rotate machine keys, isolate exposed systems, and hunt for post-exploitation indicators such as suspicious DLL loads, unexpected webshells, and anomalous LSASS dumps. Because the campaign used legitimate vendor binaries for sideloading, endpoint telemetry and binary integrity checks are critical.
Auto-patching Should Be Mandated
Roger Grimes, CISO Advisor at KnowBe4, calls this yet another great example of why default auto-patching should be required in every software program and device with firmware.
“That’s because every patch for every announced vulnerability will not be applied 100% by everyone. In fact, it’s very common for 10% – 25% of related instances to remain unpatched for months…and even years…after a patch is released. There are always people who don’t apply critical patches for some reason or another. But if auto-patching were the default, more instances would get patched in a timely manner.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.