SharePoint ‘ToolShell’ Vulnerabilities Exploited by Chinese Nation-State Hackers – Source: www.infosecurity-magazine.com

Microsoft has confirmed three Chinese-based threat groups have been actively exploiting CVE-2025-53770 and CVE-2025-53771, two critical and high-severity vulnerabilities in internet-facing SharePoint servers.

The chained exploitation of these two bugs has been dubbed ‘ToolShell’ by the cybersecurity community.

In a new blog posted on July 22, Microsoft Threat Intelligence confirmed that these groups include Linen Typhoon and Violet Typhoon, two China-based advanced persistent threat (APT) groups and Storm-2603, another China-based threat actor whose motivations and identity are unclear at this time.

Who is Behind Linen Typhoon, Violet Typhoon and Storm-2603

Linen Typhoon (APT27) is a Chinese state-backed actor that has been active since at least 2010. It typically targets foreign embassies to collect data on government, defense, technology and human rights organizations, using techniques such as drive-by compromises and existing exploits to compromise organizations.

The group is also known by many other names, including Bronze Union, Circle Typhoon, Budworm, Emissary Panda, Earth Smilodon, GreedyTaotie, Iron Taurus, Iron Tiger, Lucky Mouse and Red Phoenix.

In March 2025, the US indicted and charged two Chinese nationals believed to be operating within the APT27 group. The two individuals were accused of hacking several US companies, institutions and municipalities for profit, causing millions of dollars’ worth of damages.

Violet Typhoon (APT31) is a Chinese state-backed actor that has been active since at least 2012.

Also known as Bronze Vinewood, Judgment Panda, Red keres and Zirconium, Violet Typhoon has minimal overlaps with another group with unclear attribution, tracked as Storm-0558.

Violet Typhoon typically specializes in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. The group primarily targets former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education institutions, digital and print media, as well as financial and health-related sectors in the US, Europe and East Asia.

Violet Typhoon persistently scans for vulnerabilities in the exposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells.

Finally, while Microsoft assessed “with medium confidence” that Storm-2603 is a China-based threat actor, the tech giant’s threat intelligence team has not yet identified any links between the group and other known Chinese threat actors.

“Microsoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities,” said the Microsoft Threat Intelligence team.

Additionally, while the company has observed this threat actor deploying Warlock and Lockbit ransomware in the past, it is currently unable to confidently assess the threat actor’s objectives.

Aligned with Previous Attribution

This new Microsoft assessment aligns with a previous estimate from Google Cloud-owned Mandiant.

Earlier on July 22, Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, commented: “We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor.”

Mandiant’s Carmakal also emphasized the importance for cybersecurity professionals and potential victims to recognize that multiple actors are likely actively exploiting these vulnerabilities.

“We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,” he said.

This statement aligns with Microsoft’s assessment: “Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”