Cybercriminals are exploiting a previously patched vulnerability in Microsoft SharePoint’s ToolShell component (CVE-2025-53770) to infiltrate multiple government institutions across several continents, according to new findings by the Symantec Threat Hunting Team at Broadcom.
The flaw, which was officially fixed in Microsoft’s July 2025 security update, allowed attackers to bypass authentication and execute remote code on vulnerable servers. Despite the patch, Symantec reports that several organisations failed to apply the update, leaving systems exposed and leading to a wave of coordinated intrusions.
Targets include government departments in Africa, a telecommunications company in the Middle East, state agencies in South America, and a U.S. university, though the report did not identify the victims by name.
Three Chinese APTs Linked to the Attacks
According to Symantec’s analysis, the exploitation of CVE-2025-53770 was often paired with two other SharePoint flaws — CVE-2025-49704 and CVE-2025-49706 — to deploy zero-day malware and establish persistent access.
At least three Chinese state-linked hacker groups have been observed leveraging these vulnerabilities:
- Linen Typhoon (Budworm)
- Violet Typhoon (Sheathminer)
- Storm-2603, which has ties to the Warlock, LockBit, and Babuk ransomware families.
Symantec also identified additional threat actors, including Salt Typhoon (Glowworm), which used the ToolShell exploit to distribute Zingdoor, ShadowPad, and KrustyLoader malware across two African governments.
KrustyLoader, a Rust-based loader attributed to the Chinese group UNC5221, has been previously deployed in intrusions targeting SAP NetWeaver and Ivanti Endpoint Manager Mobile servers.
Multi-Stage Attacks and Exploitation Chains
The incidents in South America and the United States involved the exploitation of unpatched SharePoint servers, followed by lateral movement into SQL and Apache HTTP servers running Adobe ColdFusion.
Attackers then used DLL side-loading to deliver malware and evade detection.
Additionally, the notorious PetitPotam vulnerability (CVE-2021-36942) was exploited for privilege escalation and domain compromise, alongside living-off-the-land (LotL) tools for reconnaissance, credential theft, and data exfiltration.
Espionage Motives Suspected
While the attacks share several characteristics with the Glowworm cluster, Symantec has not definitively attributed all incidents to a single actor. The campaigns appear to focus on credential theft, long-term persistence, and covert access, suggesting espionage objectives rather than financial gain.
“The attackers showed a clear interest in maintaining stealthy, privileged access over extended periods,” Symantec researchers wrote. “This aligns with intelligence-gathering operations rather than immediate disruption or ransomware deployment.”
Microsoft Urges Immediate Patching
Microsoft has urged all organisations to verify their SharePoint instances are fully patched and to disable legacy components like ToolShell where possible. Administrators are also advised to monitor for unusual PowerShell activity, new DLL files, and connections to known ShadowPad or Zingdoor command-and-control infrastructure.
The incident highlights the persistent global risk of delayed patch adoption—even after a vulnerability is publicly disclosed and fixed.
