Chinese hacker groups are exploiting the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint to target various global organizations through sophisticated side-loading malware techniques. This campaign highlights the increasing scope of Chinese cyber espionage and exploitation tactics against government, academic, and corporate entities. #ToolShell #CVE202553770 #ChineseThreatActors
Keypoints
- The ToolShell vulnerability in Microsoft SharePoint is actively exploited by Chinese hacking groups.
- Attacks have targeted organizations across the Middle East, South America, Africa, Europe, and the U.S.
- Malware such as Zingdoor, ShadowPad, and KrustyLoader are used for persistent access and post-exploitation activities.
- Attackers also leveraged legitimate security tools and publicly available utilities for lateral movement and credential dumping.
- The exploit involves multiple side-loading steps and the use of Living off the Land binaries to evade detection.