New Cross-Continental Campaign Exploits “ToolShell” Flaw to Breach Telecom and Government Networks

A previously undisclosed campaign of cyberespionage is now coming into sharper view, leveraging the zero-day vulnerability known as CVE‑2025‑53770—nicknamed “ToolShell”—to infiltrate a diverse range of targets spanning the Middle East, Africa, South America and the United States. The operation is marked by sophisticated chaining of publicly-known flaws, living-off-the-land tools, and covert backdoors, underscoring a troubling trend of rapid exploitation and cross-regional reach.

A telecom breach triggers alarm

The breach was first detected at a large telecommunications provider in the Middle East. Attackers initiated compromise on July 21, just two days after a widely publicised patch for ToolShell was issued, according to threat-intelligence sources. From that foothold they deployed a web shell and then began sideloading legitimate vendor binaries to deliver malicious payloads, including the backdoor “Zingdoor” and the modular RAT “ShadowPad”. Further along the chain came “KrustyLoader”—a Rust-based loader historically associated with Chinese-nexus groups.

The breadth of activity is striking: two government departments in an African country, two government agencies in South America, a U.S. university and a finance company in Europe all appear to be touched by the same toolkit or actor set. Many of these systems exploited tool-chains beyond SharePoint—such as ColdFusion and SQL servers—with one file masquerading as “mantec.exe” (a nod to Symantec’s branding) but actually delivering a DLL sideload payload.

The vulnerability: how ToolShell works

ToolShell is a remote-code execution (RCE) flaw affecting on-premises deployments of Microsoft SharePoint Server—specifically built around the previously disclosed CVEs 2025-49704 and 2025-49706, but refined into a new bypass variant. The advisory from Microsoft explains this issue enables unauthenticated attackers to execute arbitrary code simply by sending a crafted web request.

Security researchers rate CVE-2025-53770 extremely high risk: for example, BitSight assigned it a 10 out of 10 on their “Dynamic Vulnerability Exploit” scale. Moreover, the flaw was quickly added to the U.S. Cybersecurity & Infrastructure Security Agency (CISA) known-exploited-vulnerabilities list.

The vendor-published mitigation guidance calls for immediate patching of supported SharePoint versions, integration of AMSI (Antimalware Scan Interface), rotation of MachineKeys and isolation of exposed servers.

Attribution and toolkit: executing the surge

Multiple clues point to China-based threat actors. Microsoft has named groups such as “Linen Typhoon” and “Violet Typhoon” (also known as Budworm/Sheathminer), along with Storm-2603, as exploiting these SharePoint frameworks.

The telecom breach exhibited a three-stage tool-chain:

1. Exploitation of SharePoint via ToolShell → web shell deployment.

   
   

2. DLL sideloading of Zingdoor/ShadowPad using legitimate vendor binaries.

   
   

3. Execution of KrustyLoader followed by post-exploit frameworks (e.g., Sliver) and credential-dumping via ProcDump, Minidump and LsassDumper.

   
   

In the South American cases, the attackers intentionally named a binary “mantec.exe” to mimic Symantec. This suggests strong operational security (OPSEC) and targeting sophistication.

According to telemetry from Unit 42 (part of Palo Alto Networks), IP clusters tied to these attacks show heavy overlap with Storm-2603 networks, reinforcing suspicion of Chinese-nexus activity.

Why this matters

Several factors elevate this campaign beyond a run-of-the-mill intrusion:

• Speed of exploitation: The compromise in the Middle East occurred essentially immediately after the patch was released.

• Diverse victims: From telecoms to government to education – the cross-continent scale indicates broadly scanned and selectively targeted assets.

• Persistent espionage-style infrastructure: The malware load-out emphasizes long-term access rather than fast “spray-and-pray”.

• Supply-chain and sideload abuse: Use of legitimate vendor binaries greatly complicates detection and forensic attribution.

• Legacy and exposure risk: On-premises SharePoint remains widely deployed and often internet-exposed, heightening exposure.

One senior security advisor, Roger Grimes of KnowBe4, commented:

What organisations should do now

Given the sophistication and stealth of this breach wave, defenders should adopt a layered response:

• Prioritise patching: Immediately apply updates for all supported on-premises SharePoint instances.

  
  

• Hunt for indicators: Watch for web shells such as spinstall0.aspx (or variants), unusual IIS worker process spawning, and unexplained outgoing connections.

• Rotate machine keys and credentials: If a SharePoint server was internet-exposed, assume compromise.

• Segment and isolate: Ensure on-prem systems are not directly exposed without compensating controls (e.g., WAF, ZTNA).

• Monitor for living-off-the-land activity: Tools like ProcDump, Certutil, and Revsocks are commonly abused.

• Assume espionage: Given the nature of the targeting, focus on long-term lateral movement and data exfiltration, not just ransomware.

Looking ahead

As this campaign demonstrates, even high-profile patches do not guarantee safety once adversaries escalate rapidly. The architecture of on-premises platforms like SharePoint—long-running, complex and often internet-connected—remains a magnet for sophisticated attackers. Organisations would be wise to treat this incident as a wake-up call: the era of unauthenticated RCE in mission-critical services is now live, and attackers are opportunistically bridging into legacy infrastructure to hit high value targets across multiple continents.

For now, the full scope of victim organisations remains unclear—many compromises likely remain unreported. But one thing is evident: tool-chains once reserved for ransomware gangs are being repurposed for stealthy, geopolitical-scale access. And as the telecoms breach shows, no sector is immune.