Chinese threat actors have been exploiting zero-day vulnerabilities in SharePoint servers, known as ToolShell, affecting nearly 150 organizations worldwide. The attacks, attributed to groups like Linen Typhoon and Violet Typhoon, began as early as July 17, 2025, targeting government agencies, critical infrastructure, universities, and private enterprises. The exploitation involved chaining multiple vulnerabilities and deploying reconnaissance tools. Attackers utilized a diverse network infrastructure, including cloud services and VPNs across multiple countries, to obscure their origin. The campaign highlights the sophisticated tactics employed by Chinese actors in abusing global telecommunication and cloud infrastructure for cyber espionage operations. Author: AlienVault
Related Tags:
telecommunication abuse
network mapping
Warlock ransomware
cve-2025-49706
cve-2025-49704
cve-2025-53770
cve-2025-53771
cloud infrastructure
chinese threat actors
Associated Indicators:
96.9.125.147
45.191.66.77
38.54.106.11
162.248.74.92
103.151.172.92
124.56.42.75
109.105.193.76