China-based attackers exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a Middle Eastern telecoms company and government agencies in Africa and South America. The attackers deployed malware such as Zingdoor, ShadowPad, and KrustyLoader, which have been associated with Chinese threat groups like Glowworm and UNC5221. The campaign also targeted government departments, a university, and a finance company across multiple regions. The attackers used various tools and techniques, including DLL sideloading, credential theft, and publicly available utilities. The activity suggests a focus on espionage and establishing persistent access to victim networks. Author: AlienVault
Related Tags:
KrustyLoader
Zingdoor
Warlock
toolshell
POISONPLUG.SHADOW
ShadowPad – S0596
South Africa
Central African Republic
T1098
Associated Indicators:
DB15923C814A4B00DDB79F9C72F8546A44302AC2C66C7CC89A144CB2C2BB40FA
3FC4F3FFCE6188D3EF676F9825CDFA297903F6CA7F76603F12179B2E4BE90134
929E3FDD3068057632B52ECDFD575AB389390C852B2F4E65DC32F20C87521600
071E662FC5BC0E54BCFD49493467062570D0307DC46F0FB51A68239D281427C6
568561D224EF29E5051233AB12D568242E95D911B08CE7F2C9BF2604255611A9
6240E39475F04BFE55AB7CBA8746BD08901D7678B1C7742334D56F2BC8620A35
28A859046A43FC8A7A7453075130DD649EB2D1DD0EBF0ABAE5D575438A25ECE9
DBDC1BEEB5C72D7B505A9A6C31263FC900EA3330A59F08E574FD172F3596C1B8
6AECF805F72C9F35DADDA98177F11CA6A36E8E7E4348D72EAF1A80A899AA6566