A recent investigation has revealed that threat actors with links to China have exploited the ToolShell security vulnerability (CVE-2025-53770) in Microsoft SharePoint. This flaw, which was disclosed and patched in July 2025, allowed significant infiltrations in critical sectors, including a major telecommunications company in the Middle East and various government institutions in Africa and South America.
A problem more serious than it seems
According to the threat research team at Symantec of Broadcom, CVE-2025-53770, a now-patched authentication bypass, was exploited by several Chinese cyber-espionage groups, notably Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have been responsible for sophisticated and diversified attacks, using tools like Zingdoor, ShadowPad, and KrustyLoader to carry out their incursions.
The attacks were not restricted to a single sector, as incidents were reported at a university in the U.S., as well as a government agency in an African country and a financial agency in Europe. The multifaceted approach of these operations suggests a strategic interest on the part of threat actors in stealing credentials and establishing persistent and stealthy access to their victims’ networks.
Additionally, it has been documented that some of the attackers also used additional vulnerabilities and DLL side-loading techniques to deliver their malicious payloads. Among these techniques is the exploitation of CVE-2021-36942, an exploit known for its privilege escalation capability, which reinforces the sophistication of their approach.
The findings of the report suggest that, while there is an overlap in the types of victims and tools used, these activities have not been definitively attributed to a specific group. However, all evidence points to the fact that behind these operations are threat actors based in China.
