ToolShell bug used by Chinese attackers against governments in Africa, South America

Incident responders have identified breaches at government agencies, telecoms and universities in several countries that began with the ToolShell vulnerability identified in July.

Experts at the Symantec and Carbon Black Threat Hunter Team tracked multiple compromises involving CVE-2025-53770 — a vulnerability that caused alarm this summer when Microsoft warned its on-premises SharePoint customers that three separate China-based groups were exploiting it. Hundreds of governments and prominent businesses use SharePoint, particularly for maintaining their intranets. 

Symantec and Carbon Black said they identified incidents at a telecom company in the Middle East soon after the bug was announced by Microsoft in July. The team subsequently saw two government departments in an African country breached through the bug.

The incident responders also found compromises at two government agencies in South America and at a U.S. university. Other evidence “suggests that a state technology agency in an African country, a government department in the Middle East and a finance company in a European country were also compromised by the same attackers,” the team said.

Symantec and Carbon Black declined to name the specific countries where each compromise took place. The researchers said they found troves of evidence confirming Microsoft’s initial assessment that Chinese threat actors were heavily exploiting the bug.

Familiar malware 

Once access was gained, hackers used an array of malware previously deployed by Chinese groups, including Zingdoor, ShadowPad, KrustyLoader and more.

The researchers found Zingdoor on the networks of three victims. It’s a backdoor previously used by well-known China-based threat actors Famous Sparrow and Earth Estries. The tool allows hackers to collect system information, upload files and take further actions on a compromised network. 

Google incident responders tied the use of KrustyLoader in April to a Chinese group seen exploiting vulnerabilities in products from IT company Ivanti. 

The threat actors were also seen using legitimate tools like Sliver, Certutil, GoGo scanner and more during compromises

“The large number of apparent victims of this activity is also notable. This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability, before then carrying out further activity only on networks of interest,” the Threat Hunter Team said.

“The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage.”

Microsoft said in July that two confirmed Chinese state-backed actors — labeled Linen Typhoon and Violet Typhoon — were involved in exploiting the ToolShell bug. Both groups have spent more than a decade conducting espionage attacks and intellectual property theft.

Netherlands-based cybersecurity firm Eye Security, which is credited with initially discovering the bug, told Reuters and Bloomberg this summer that threat actors likely used it to breach at  least 400 governments and businesses around the world. 

A Cybersecurity and Infrastructure Security Agency (CISA) official told Recorded Future News in July that federal agencies as well as state entities may have been affected by the campaign.

The National Nuclear Security Administration, National Institutes of Health and Department of Homeland Security all confirmed being impacted by the ToolShell campaign. 

Researchers at ESET said at the time that Chinese government-backed groups were seizing on the bug and the company’s telemetry showed “the victims of the ToolShell attacks include several high-value government organizations that have been long-standing targets of these groups.”

Warlock ransomware

In July, Microsoft said that in addition to the identified state-backed Chinese actors, a third Chinese group was launching attacks using ToolShell. The previously unidentified threat actor was seen deploying the Warlock ransomware after exploiting CVE-2025-49706.

Alongside the analysis of the ToolShell campaign, Symantec and Carbon Black examined the Warlock ransomware, noting that it first appeared in June 2025 and was first used on July 19, 2025.

“Warlock is an unusual threat. Unlike many ransomware operations, which are headquartered in Russia or other countries in the Commonwealth of Independent States, Warlock appears to be used by a group based in China. And, while its name is new, its origins appear to date back much further, with links to a diverse range of activity,” the researchers said.

The ransomware has experts split on its origins. Data from some attacks indicate it may be a rebrand of the AnyLock ransomware and others found potential ties to LockBit and Black Basta.

Some of the tools and tactics used by attackers deploying the Warlock ransomware date back to 2022, suggesting the actors behind it have “been active for a lot longer than previously known.”

“Although the toolset used by this group has evolved over time, the links to earlier attacks suggest that some, if not all the actors, behind Warlock may have been active since 2019,” the researchers said.  

“The diverse range of attacks the group has been involved in suggests they may be contractors, willing to sell their services to entities involved in espionage but also not above generating additional income from ransomware attacks. Indeed, its involvement in ransomware may at times be useful to obfuscate or cover up espionage activities.”

Over the last year, U.S. authorities have made a concerted effort to outline the large web of private companies hired by the Chinese government to conduct cyberattacks in other countries. Multiple companies have warned that Chinese actors deployed ransomware as a cover for espionage activity or data theft.