ToolShell Used to Compromise Telecoms Company in Middle East

Oct. 30, 2025, 3:18 p.m.

Description

China-based attackers exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a Middle Eastern telecoms company and government agencies in Africa and South America. The attackers deployed malware such as Zingdoor, ShadowPad, and KrustyLoader, which have been associated with Chinese threat groups like Glowworm and UNC5221. The campaign also targeted government departments, a university, and a finance company across multiple regions. The attackers used various tools and techniques, including DLL sideloading, credential theft, and publicly available utilities. The activity suggests a focus on espionage and establishing persistent access to victim networks.

External References

https://www.security.com/threat-intelligence/toolshell-china-zingdoor
https://otx.alienvault.com/pulse/68fa481d43dd91466956c071
Tags
sliver
shadowpad
krustyloader
toolshell
warlock
2025-10-23
telecoms
zingdoor

Date

  • Created: Oct. 23, 2025, 3:22 p.m.
  • Published: Oct. 23, 2025, 3:22 p.m.
  • Modified: Oct. 30, 2025, 3:18 p.m.

Attack Patterns

  • Zingdoor
  • Warlock
  • KrustyLoader
  • POISONPLUG.SHADOW
  • ShadowPad - S0596
  • Sliver
  • Glowworm

Additional Informations

  • Education
  • Finance
  • Telecommunications
  • Government
  • Central African Republic
  • South Africa
  • United States of America