Hackers believed to be connected to the Chinese government have been linked to a series of widespread cyberattacks targeting a recently discovered Microsoft SharePoint zero-day vulnerability chain. The exploit chain, dubbed ‘ToolShell’, has enabled the compromise of dozens of organizations worldwide, including entities in government, telecommunications, and software sectors.
The attacks use two critical vulnerabilities, originally identified as CVE-2025-49706 and CVE-2025-49704, first demonstrated during the Berlin Pwn2Own 2025 competition by researchers from Viettel Cyber Security. On July 7, cybersecurity firm Check Point detected early signs of active exploitation, followed shortly by reports from Dutch firm Eye Security confirming zero-day activity.
Microsoft rolled out emergency security updates as part of its July Patch Tuesday release. Over the weekend, the company reclassified the vulnerabilities under new identifiers, CVE-2025-53770 and CVE-2025-53771, after discovering that attackers had managed to breach even fully patched SharePoint servers. The company released additional fixes for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016.
Cybersecurity firm CrowdStrike said it observed hundreds of exploitation attempts targeting over 160 customer environments. According to CrowdStrike, the attack involves a deserialization vulnerability that allows attackers to upload a malicious .aspx webshell (spinstall0.aspx) onto compromised SharePoint servers.
Once deployed, the webshell is used to extract IIS Machine Keys, which can be leveraged to authenticate and execute system-level commands, enabling deeper post-exploitation access. The attack begins with a specially crafted POST request sent to a vulnerable, internet-facing SharePoint server. The payload within the request uses PowerShell to write the malicious .aspx file to the system, serving as a foothold for further compromise.
Earlier this month, Proofpoint reported that three Chinese state-sponsored threat actors have been conducting targeted phishing campaigns against the Taiwanese semiconductor industry, likely for espionage purposes. The campaigns targeted a range of entities, including semiconductor design, manufacturing, testing, supply chain organizations, and financial analysts specializing in the sector.
One group, UNK_FistBump, used employment-themed phishing to deliver Cobalt Strike or a custom Voldemort backdoor. Another threat actor, UNK_DropPitch, focused on investment analysts at major firms.
A third group, UNK_SparkyCarp, used a custom Adversary-in-the-Middle phishing kit to conduct credential theft against a Taiwanese semiconductor company.