SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping

Aug. 4, 2025, 9:19 a.m.

Description

Chinese threat actors have been exploiting zero-day vulnerabilities in SharePoint servers, known as ToolShell, affecting nearly 150 organizations worldwide. The attacks, attributed to groups like Linen Typhoon and Violet Typhoon, began as early as July 17, 2025, targeting government agencies, critical infrastructure, universities, and private enterprises. The exploitation involved chaining multiple vulnerabilities and deploying reconnaissance tools. Attackers utilized a diverse network infrastructure, including cloud services and VPNs across multiple countries, to obscure their origin. The campaign highlights the sophisticated tactics employed by Chinese actors in abusing global telecommunication and cloud infrastructure for cyber espionage operations.

External References

https://www.resecurity.com/blog/article/sharepoint-zero-day-exploit-cve-2025-53770-network-infrastructure-mapping
https://otx.alienvault.com/pulse/688de60c227acd4d21888219
Tags
zero-day
reconnaissance
webshell
chinese threat actors
sharepoint
cloud infrastructure
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
2025-08-02
warlock ransomware
network mapping
telecommunication abuse
mapp

Date

  • Created: Aug. 2, 2025, 10:18 a.m.
  • Published: Aug. 2, 2025, 10:18 a.m.
  • Modified: Aug. 4, 2025, 9:19 a.m.

Attack Patterns

  • Warlock ransomware
  • Linen Typhoon, Violet Typhoon, Storm-2603

Additional Informations

  • Technology
  • Energy
  • Defense
  • Education
  • Government
  • British Indian Ocean Territory
  • Hong Kong
  • India
  • Taiwan
  • Netherlands
  • Japan
  • Germany
  • Romania
  • Brazil
  • United States of America