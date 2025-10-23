Threat Intelligence, Vulnerability Management

Global ToolShell attacks launched by Salt Typhoon

China Flag Made of Binary Code and Chinese Symbols on Red Backgr

(Adobe Stock)

Chinese state-sponsored threat operation Salt Typhoon has harnessed the critical Microsoft SharePoint ToolShell flaw, tracked as CVE-2025-53770, to facilitate malware attacks against multiple organizations around the world, The Register reports. Attacks against a Middle Eastern telecommunications firm and a pair of African government departments involved ToolShell exploitation to deploy the Zingdoor backdoor that enables system data gathering, file uploads and downloads, and arbitrary command execution, according to Symantec and Carbon Black researchers. Other intrusions, which were aimed at a European finance firm, a Middle Eastern government department, and an African state technology agency, were discovered to have involved the ShadowPad trojan and KrustyLoader backdoor. Vulnerable SQL servers and Apache HTTP servers with Adobe ColdFusion software were also targeted by Salt Typhoon to compromise a U.S. university and a pair of South American government agencies. Another report from Trend Micro revealed joint Salt Typhoon and Flax Typhoon operations, with the former conducting initial access while the latter performs subsequent compromise.

