Better News Network
Business / Article

Microsoft Ties SharePoint Exploits To China-Backed ToolShell Group

3 minute read

Published: Wednesday, July 23, 2025 at 12:49 pm

China-Linked Hackers Exploit SharePoint Flaw, Targeting Organizations

A China-based threat actor is leveraging a critical vulnerability in Microsoft SharePoint Server to compromise organizations across various sectors, according to Microsoft's Threat Intelligence team. The attackers are exploiting CVE-2025-53770, a remote code execution flaw, to deploy ToolShell malware, a remote access trojan previously linked to Chinese espionage groups.

The campaign, which began as early as April 2025, has affected over 100 organizations, including government agencies, schools, and energy companies. The vulnerability, with a critical CVSS rating of 9.8, allows attackers to execute arbitrary code on vulnerable systems. Attackers are chaining this vulnerability with others to bypass security patches issued in May, enabling them to maintain access even after patching.

Once inside, attackers use ToolShell, integrated into SharePoint workflows, to blend into normal traffic, evade detection, and operate freely within the network. Experts warn that the threat is expanding beyond a single source, with multiple actors now actively exploiting the vulnerability. This trend is expected to continue, with various threat actors leveraging the exploit.

The attacks highlight the limitations of relying solely on patching. While Microsoft released a patch for CVE-2025-53770, attackers already inside systems could maintain persistence using other tools and chained exploits. Organizations are urged to audit and isolate SharePoint servers, search for signs of ToolShell or unusual behavior in logs, and limit internal network movement. Experts emphasize that this should be treated as a domain-wide incident, not just a SharePoint-specific issue.

The widespread use of SharePoint, coupled with hybrid on-premise and cloud deployments, makes it a prime target. Defending these environments requires more than patching and perimeter monitoring; it demands real visibility, fast detection, and a plan for persistence.

BNN's Perspective: This incident underscores the evolving nature of cyber threats. While patching is crucial, it's not a silver bullet. Organizations must adopt a proactive, multi-layered security approach that includes continuous monitoring, threat hunting, and robust incident response plans. The increasing sophistication and adaptability of nation-state actors necessitate a shift towards more comprehensive security strategies.

Keywords: SharePoint, CVE-2025-53770, ToolShell, China, malware, hacking, vulnerability, remote code execution, cyberattack, security, patching, Microsoft, threat actor, espionage, domain compromise, hybrid security

Full Story