Threat Research

ToolShell Used to Compromise Telecoms Company in Middle East

Symantec
ToolShell Used to Compromise Telecoms Company in Middle East

Chinese-linked attackers exploited the recently disclosed SharePoint “ToolShell” vulnerability (CVE-2025-53770) to breach multiple organisations across the Middle East, Africa, South America, Europe and the U.S., deploying loaders and backdoors including Zingdoor, KrustyLoader and ShadowPad. The campaign used DLL sideloading, legitimate binaries, PetitPotam credential theft, and living-off-the-land tools to establish stealthy persistence and credential theft for espionage. #ToolShell #Zingdoor #KrustyLoader

Keypoints

  • Attacks began days after Microsoft patched ToolShell (CVE-2025-53770) in July 2025, with immediate exploitation against an on-premise SharePoint server at a Middle Eastern telecom on July 21, 2025.
  • Zingdoor (HTTP Go backdoor) was deployed via DLL sideloading using a legitimate Trend Micro binary; ShadowPad was also deployed via sideloading of a BitDefender binary (SHA256: 3fc4f3f…0134).
  • KrustyLoader (Rust-based initial-stage loader) was used to deliver second-stage payloads and has prior links to China-nexus actors; it was observed on July 25, 2025 in this campaign.
  • Attackers targeted additional victims across Africa, South America, Europe and the U.S., using other vulnerable services (SQL servers, Apache with ColdFusion) and varied initial access vectors beyond ToolShell.
  • Techniques included DLL sideloading, use of legitimate binaries (including a benign BugSplat executable “mantec.exe”) to sideload malicious DLLs, and executing PetitPotam (CVE-2021-36942) to steal credentials.
  • Public and living-off-the-land tools were leveraged for credential dumps and proxying (Certutil, Procdump, LsassDumper, Revsocks, GoGo Scanner, Minidump), indicating emphasis on credential theft and persistence.
  • Attribution points to China-based actors with overlaps to Glowworm and associations of KrustyLoader/UNC5221; Microsoft reported at least three Chinese groups exploiting ToolShell including Budworm, Sheathminer and Storm-2603.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Attackers exploited ToolShell (CVE-2025-53770) to gain unauthenticated remote code execution on on-premise SharePoint servers: ‘ToolShell affects on-premise SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems.’
  • [T1210 ] Exploitation of Remote Services – Exploited Apache HTTP servers running Adobe ColdFusion and SQL servers to deliver malware: ‘…exploited SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver their malware.’
  • [T1574.002 ] DLL Side-Loading – ShadowPad and Zingdoor were loaded via DLL sideloading using legitimate AV binaries: ‘The loader for the Trojan was sideloaded using a legitimate BitDefender binary (SHA256: 3fc4f3f…0134).’
  • [T1105 ] Ingress Tool Transfer – KrustyLoader and additional payloads were downloaded from C2/S3 URLs to deploy second-stage malware: ‘http://kia-almotores.s3.amazonaws[.]com… – KrustyLoader C&C server’.
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of living-off-the-land scripts and tools (e.g., Minidump from PowerSploit) to dump processes: ‘Minidump: A script from the post-exploitation framework PowerSploit used for dumping processes.’
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Attackers used Procdump, Minidump, and LsassDumper to dump LSASS and obtain credentials: ‘Attackers usually dump lsass.exe to find credentials.’
  • [T1218 ] Signed Binary Proxy Execution – Use of legitimate signed utilities (Trend Micro, BitDefender, BugSplat) to proxy execution of malicious DLLs: ‘Zingdoor…loaded onto the network by sideloading it using a legitimate Trend Micro binary.’
  • [T1110 ] Brute Force (scanning) – Mass scanning for vulnerable ToolShell servers followed by targeted follow-up activity: ‘This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability…’
  • [T1531 ] Account Discovery / [T1086 ] PowerShell (combined steps) – Use of credential theft and domain-level attacks via PetitPotam to coerce NTLM authentication and obtain domain credentials: ‘An exploit for the Windows LSA Spoofing Vulnerability, CVE-2021-36942 (aka PetitPotam), was also executed…to steal credentials and authentication information from Windows Servers such as a Domain Controller.’

Indicators of Compromise

  • [File hash] Malware and tools – Zingdoor: 071e662fc5bc0e54…427c6; KrustyLoader: 929e3fdd30680576…21600.
  • [File hash] Loaders and dumpers – ShadowPad loader: 6c216cec379f4181…ac066e; LsassDumper examples: 6240e39475f04bfe…20a35, 6aecf805f72c9f35…aa6566.
  • [Filename] Legitimate-signed binary used to sideload payload – mantec.exe (benign BugSplat executable) – ‘mantec.exe – Benign executable’ used to sideload a malicious DLL.
  • [Network URL] KrustyLoader C2 servers – http://kia-almotores.s3.amazonaws[.]com/sy1cyjt, http://omnileadzdev.s3.amazonaws[.]com/PBfbN58lX.
  • [File hash] Public tools and frameworks – Sliver: 7be8e37bc6100559…754d40; ProcDump: 5b165b01f9a1395c…86ed61.

Read more: https://www.security.com/threat-intelligence/toolshell-china-zingdoor