{"id":223804,"date":"2025-10-23T04:15:39","date_gmt":"2025-10-23T09:15:39","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/10\/chinese-threat-actors-exploit-toolshell-sharepoint-flaw-weeks-after-microsofts-july-patch"},"modified":"2025-10-23T04:15:39","modified_gmt":"2025-10-23T09:15:39","slug":"chinese-threat-actors-exploit-toolshell-sharepoint-flaw-weeks-after-microsofts-july-patch","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/10\/chinese-threat-actors-exploit-toolshell-sharepoint-flaw-weeks-after-microsofts-july-patch","title":{"rendered":"Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft\u2019s July Patch"},"content":{"rendered":"

<\/a><\/p>\n

CVE-2025\u201353770, assessed to be a patch bypass for CVE-2025\u201349704 and CVE-2025\u201349706, has been weaponized as a zero-day by three Chinese threat groups<\/a>, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families<\/a> in recent months.<\/p>\n

However, the latest findings from Symantec indicate that a much wider range of Chinese threat actors have abused the vulnerability. This includes the Salt Typhoon<\/a> (aka Glowworm) hacking group, which is said to have leveraged the ToolShell flaw to deploy tools like Zingdoor<\/a>, ShadowPad<\/a>, and KrustyLoader against the telecom entity and the two government bodies in Africa.<\/p>\n

KrustyLoader, first detailed<\/a> by Synacktiv in January 2024, is a Rust-based loader previously put to use by a China-nexus espionage group dubbed UNC5221 in attacks exploiting flaws in Ivanti Endpoint Manager Mobile (EPMM<\/a>) and SAP NetWeaver<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE-2025\u201353770, assessed to be a patch bypass for CVE-2025\u201349704 and CVE-2025\u201349706, has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families in recent months. However, the latest [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,1490],"tags":[],"class_list":["post-223804","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-government"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/223804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=223804"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/223804\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=223804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=223804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=223804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}