China-Backed Hackers Exploit Critical SharePoint Vulnerabilities in ‘ToolShell’ Cyber Campaign

Listen to this Post

Featured Image

An Escalating Digital Threat

In a striking escalation of cyber warfare, Microsoft has confirmed that three China-based threat groups are actively exploiting two critical vulnerabilities in SharePoint servers, raising alarms across global cybersecurity communities. The vulnerabilities — CVE-2025-53770 and CVE-2025-53771 — are being chained together in an advanced attack sequence now dubbed ToolShell. This tactic allows attackers to infiltrate systems, maintain persistent access, and potentially exfiltrate high-value data from governments, academia, and key industries. As Microsoft and other security firms sound the alarm, the world is once again reminded of how quickly state-sponsored cyber activity can evolve into full-scale, strategic campaigns.

Global Cybersecurity Alert Over ToolShell Exploits

Microsoft’s Threat Intelligence team officially confirmed on July 22 that three Chinese-affiliated cyber espionage groups — Linen Typhoon (APT27), Violet Typhoon (APT31), and the lesser-known Storm-2603 — are behind a wave of attacks leveraging chained SharePoint vulnerabilities. The bugs, CVE-2025-53770 and CVE-2025-53771, both deemed critical in severity, are currently being used to install web shells and compromise internet-facing SharePoint servers worldwide.

Linen Typhoon, also known by aliases such as Bronze Union and Lucky Mouse, has been active since 2010 and is notorious for attacking embassies, NGOs, and organizations involved in defense and technology. Two Chinese nationals linked to this group were indicted in March 2025 for cyberattacks that caused millions in damages across US-based institutions.

Violet Typhoon, in operation since at least 2012, focuses on intellectual property theft, targeting industries that drive innovation such as education, health, finance, and media. Known for its meticulous vulnerability scanning, Violet Typhoon uses discovered gaps in infrastructure to deploy malware and gain long-term access.

The third actor, Storm-2603, remains somewhat mysterious. Microsoft assesses it with medium confidence as China-based, noting its involvement in ransomware deployment and exploitation of the SharePoint flaws to extract MachineKeys. Despite having no direct ties to other known actors, Storm-2603’s behavior signals a sophisticated understanding of system weaknesses.

Google Cloud’s Mandiant division supports Microsoft’s attribution, affirming that ToolShell is likely part of a coordinated strategy to gain footholds in critical infrastructure rather than opportunistic hacking. Experts, including those at BlueVoyant, believe this wave of activity aims to steal sensitive data and maintain stealthy, persistent access. With both Microsoft and Mandiant warning of further exploitation, organizations are under immense pressure to patch their SharePoint systems immediately or risk becoming victims in a broader geopolitical campaign.

What Undercode Say:

Strategic Exploitation Over Random Attacks

What’s unfolding is not a case of random vulnerability probing — this is a targeted, nation-state-backed campaign aimed at long-term intelligence gathering. The ToolShell campaign illustrates how modern cyber warfare operates in shadows, utilizing known but unpatched systems to insert malicious code and silently exfiltrate data without detection.

Chained Vulnerabilities Increase Threat Level

Chaining CVE-2025-53770 and CVE-2025-53771 shows advanced technical sophistication. While each vulnerability on its own poses a risk, combining them drastically amplifies the attack’s effectiveness. This method bypasses typical detection mechanisms and allows for full compromise of SharePoint servers, many of which house confidential enterprise or governmental data.

Storm-2603’s Emerging Role Signals Growing Complexity

Although less is known about Storm-2603, its involvement in ransomware and MachineKey theft indicates a hybrid strategy. This could suggest experimentation with both financially motivated and espionage-driven objectives. Its lack of clear ties to other groups might reflect a new actor testing the waters under China’s broader cyber umbrella or an evolution of existing APTs branching into new operations.

Broader Implications for Enterprise Security

This isn’t just a concern for governments or defense contractors. Any organization running an on-premises SharePoint server — particularly those using legacy infrastructure — is at risk. ToolShell has confirmed that the attackers are not discriminating based on industry. From healthcare to financial services and education, the range of targets is expanding.

The Rise of Persistent Threat Campaigns

The use of web shells and stealth malware shows that the attackers aren’t looking for quick wins. Instead, they’re embedding themselves within systems for the long haul, with the intent to monitor, collect, and manipulate data over extended periods. This mirrors earlier Chinese espionage campaigns and suggests a shift from smash-and-grab ransomware to longer-term intelligence strategies.

Global Alignment on Attribution

Microsoft’s findings, mirrored by Mandiant and BlueVoyant, present rare alignment in the cybersecurity world. The unified front among these organizations indicates high confidence in attributing this to state-sponsored actors — which carries implications for future geopolitical tensions, cybersecurity policy, and enterprise preparedness.

Urgency of Patch Management

A major takeaway from this campaign is the critical importance of timely patching. ToolShell is succeeding because too many organizations continue to operate with unpatched, outdated systems. SharePoint, despite being vital to internal collaboration, is often overlooked in security audits — making it a prime target for sophisticated threat actors.

ToolShell as a Template for Future Campaigns

The tactics and techniques used in ToolShell could very well be repurposed in other campaigns. Expect similar chains to be used against other platforms like Confluence, Jira, or Microsoft Exchange, where web-based vulnerabilities are common.

Data Theft as a Long-Term National Strategy

China’s alleged role in this campaign fits into a broader pattern of using cyber operations to close gaps in technological and strategic dominance. Rather than develop innovation internally, groups like APT27 and APT31 are tasked with stealing competitive IP, defense blueprints, and foreign policy intelligence — tools for geopolitical leverage.

Time to Rethink Cybersecurity Policies

This campaign calls for an urgent reassessment of global cybersecurity frameworks. International partnerships, information sharing, and stronger regulatory mandates on software patching and cyber hygiene are no longer optional — they are necessary defenses in an age of digital warfare.

🔍 Fact Checker Results:

✅ Microsoft officially confirmed exploitation of CVE-2025-53770 and CVE-2025-53771

✅ Mandiant and BlueVoyant independently verified Chinese state-sponsored involvement

✅ CVEs exploited specifically target unpatched, internet-facing SharePoint servers

📊 Prediction:

In the coming months, ToolShell-style chained exploits will likely expand beyond SharePoint to other widely used enterprise platforms. Expect a rise in zero-day market activity and cross-industry phishing operations exploiting these entry points. As more state-backed groups adopt ToolShell-like strategies, threat detection will require behavioral-based analytics rather than signature-based alerts. Organizations that fail to patch will not only face breach risks but also regulatory consequences as governments respond with stricter cybersecurity mandates.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin