# Sharepoint ToolShell Attacks: A Global Threat
A series of sophisticated attacks targeting organizations across four continents has been linked to the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint. The hackers, believed to be associated with China, have leveraged this zero-day exploit to gain unauthorized access to government agencies, universities, telecommunication service providers, and finance organizations.
Microsoft released emergency updates on July 21 to address the issue, but the damage had already been done. The ToolShell vulnerability is a bypass for two previously disclosed flaws (CVE-2025-49706 and CVE-2025-49704) that can be leveraged remotely without authentication for code execution and full access to the file system.
The attacks are believed to have originated from three Chinese threat groups: Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware. However, a recent report by Symantec, a cybersecurity company part of Broadcom, reveals that ToolShell was used to compromise various organizations in the Middle East, South America, the U.S., and Africa.
In the Middle East, the activity started on July 21 with the exploitation of CVE-2025-53770 to plant webshells that enabled persistent access. The attackers then DLL side-loaded a Go-based backdoor named Zingdoor, which can collect system information, perform file operations, and facilitate remote command execution. Another side-loading step launched what appears to be the ShadowPad Trojan, followed by the deployment of the Rust-based KrustyLoader tool.
The attackers used legitimate Trend Micro and BitDefender executables to conduct the side-loading steps, adding an extra layer of sophistication to their attacks. For the attacks in South America, the threat actors used a file resembling Symantec's name before proceeding with credential dumping via ProcDump, Minidump, and LsassDumper. They also leveraged PetitPotam (CVE-2021-36942) for domain compromise.
The list of publicly available and living-off-the-land tools used in the attacks included the Certutil utility from Microsoft, the GoGo Scanner (a red-team scanning engine), and the Revsocks utility that allows data exfiltration, command-and-control, and persistence on the compromised device. This report from Symantec indicates that the ToolShell vulnerability was exploited by a larger set of Chinese threat actors than was previously known.
The implications of this attack are significant, and it highlights the need for organizations to prioritize their security posture. The report also serves as a reminder that zero-day exploits can be devastatingly effective if not addressed promptly.
# Stay Safe Online
To protect yourself from similar attacks, make sure to:
* Keep your software up-to-date with the latest security patches * Use strong passwords and enable multi-factor authentication whenever possible * Monitor your systems for suspicious activity and respond quickly to potential threats * Consider investing in a reputable antivirus solution that can detect and prevent zero-day exploits
Stay vigilant, and stay safe online.
# Latest Cybersecurity News
* Picus Blue Report 2025 is Here: A comprehensive look at password cracking trends, detection methods, and data exfiltration prevention. * Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws * CISA warns of actively exploited Dassault RCE vulnerability * Over 28,000 Citrix devices vulnerable to new exploited RCE flaw
Stay informed with the latest cybersecurity news and trends.