ToolShell Exploitation Campaign Targeting Telecoms and Government Organizations

Free, Unbiased, and Open threat intelligence

ToolShell Exploitation Campaign Targeting Telecoms and Government Organizations

threat Profile

HIGH

Description

China-based threat actors exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East, government agencies in Africa and South America, and other organizations. The campaign involved deploying Zingdoor backdoor, ShadowPad Trojan, KrustyLoader, and various post-exploitation tools for credential theft and persistent access, likely for espionage purposes.

MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell T1574.002 - DLL Side-Loading T1003.001 - LSASS Memory T1055 - Process Injection T1071.001 - Web Protocols T1059 - Command and Scripting Interpreter T1090 - Proxy T1105 - Ingress Tool Transfer T1027 - Obfuscated Files or Information T1562.001 - Disable or Modify Tools T1018 - Remote System Discovery T1560 - Archive Collected Data T1041 - Exfiltration Over C2 Channel T1078 - Valid Accounts T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

Related Entities

Threat Actors

APT27 FamousSparrow Earth Estries Sheathminer Storm-2603 Redfly APT41 APT31 UNC5221, UTA0178 Glowworm

Malware

ProcDump Zingdoor Certutil KrustyLoader RevSocks ShadowPad Sliver Web Shell GoGo Scanner Minidump lsassDumper Warlock ransomware

CVEs

CVE-2021-36942 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771

Indicators of Compromise (10)

568561d224ef29e5051233ab12d568242e95d911b08ce7f2c9bf2604255611a9

Socks Proxy tool

1f94ea00be79b1e4e8e0b7bbf2212f2373da1e13f92b4ca2e9e0ffc5f93e452b

PetitPotam/CVE-2021-36942 exploit

dbdc1beeb5c72d7b505a9a6c31263fc900ea3330a59f08e574fd172f3596c1b8

RevSocks proxy tool

7be8e37bc61005599e4e6817eb2a3a4a5519fded76cb8bf11d7296787c754d40

Sliver framework

e6c216cec379f418179a3f6a79df54dcf6e6e269a3ce3479fd7e6d4a15ac066e

ShadowPad Loader

e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc

ProcDump tool

3fc4f3ffce6188d3ef676f9825cdfa297903f6ca7f76603f12179b2e4be90134

Legitimate BitDefender binary used for ShadowPad sideloading

071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6

Zingdoor backdoor

28a859046a43fc8a7a7453075130dd649eb2d1dd0ebf0abae5d575438a25ece9

GoGo Scanner tool

6c48a510642a1ba516dbc5effe3671524566b146e04d99ab7f4832f66b3f95aa

bugsplatrc.dll - Malicious DLL

Metadata

Published

7 months ago

Views