Microsoft Ties SharePoint Exploits To China-Backed ToolShell Group

Introduction to the Threat

China-linked hackers are exploiting a critical SharePoint flaw to deploy ToolShell malware, bypassing patches and compromising organizations across key sectors. Microsoft has linked a wave of SharePoint Server attacks to a China-based threat actor using a tool called ToolShell. The attackers exploited CVE-2025-53770, a critical remote code execution vulnerability in SharePoint Server, to gain unauthorized access to vulnerable systems—even after patches were released.

The Attack Campaign

The campaign began as early as April 2025 and has affected more than 100 organizations, including government agencies, schools, and energy companies. This attack illustrates the dangers of persistent, strategic compromise. And it shows just how well-resourced and adaptive nation-state attackers can be—especially when defenders stick to the usual playbook.

A Closer Look at CVE-2025-53770

CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system. From there, they can deploy malware, access internal networks, and maintain control for future operations. What makes this more dangerous is that attackers are chaining this vulnerability with others—such as CVE-2025-49704 and CVE-2025-49706—to bypass security patches issued in May. Once the foothold is established, even patched systems can remain compromised.

ToolShell Reappears

The campaign is driven by a modified version of ToolShell, a remote access trojan that’s been previously linked to Chinese espionage groups. In this case, ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection, and operate freely inside the network.

Nation-State Attribution and a Growing Threat Landscape

Microsoft’s Threat Intelligence team has formally attributed the campaign to a China-based threat actor. But according to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, the threat has already expanded beyond a single source. “We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,” Carmakal warned.

Comparison to Previous Attacks

Gabrielle Hempel, Security Operations Strategist at Exabeam, sees clear echoes of the 2021 Exchange server attacks in this campaign. “Yet again, we’re seeing a Microsoft enterprise product exploited at scale, with self-hosted deployments as the primary point of failure,” she noted. “These environments generally remain low-hanging fruit due to patching delays and overexposed internal access.” Hempel also emphasized the operational complexity of these attacks. “These attackers aren’t just out to steal data, but gain remote access, drop malware, and move laterally. Organizations should be treating this as a full domain compromise event and not just a SharePoint-specific incident.”

Patching Isn’t Enough

This campaign underscores a frustrating but important truth in cybersecurity: patching alone is not enough. While Microsoft did release a patch for CVE-2025-53770, attackers already inside those systems could maintain persistence using other tools and chained exploits. In some cases, attackers gained access before the patch was available. In others, organizations failed to patch quickly—or correctly—leaving them vulnerable. Once ToolShell is deployed, it’s not just about SharePoint anymore. It’s about what else attackers can reach from there.

What Organizations Need to Do Now

Microsoft and other experts recommend several immediate steps:

• Audit and isolate SharePoint servers, especially any exposed externally.
• Search for signs of ToolShell or unusual behavior in SharePoint logs and lateral traffic.
• Limit east-west movement, which is often invisible to perimeter-focused defenses.
• Treat this as a domain-wide incident, not a single application compromise.

Rethinking Hybrid Security

SharePoint’s widespread use and the mix of on-prem and cloud deployments make it a prime target. Many organizations have moved to cloud-based platforms, but legacy on-prem systems often remain in place—and underprotected. This campaign is a reminder that defending hybrid environments requires more than patching and monitoring the perimeter. It demands real visibility, fast detection, and a plan for persistence. Nation-state attackers do not rely on zero-days alone. They leverage known flaws, chain exploits, and adapt faster than most organizations can respond.

Conclusion

The compromise isn’t coming. For many, it’s already here. Organizations must take immediate action to protect themselves from this threat. This includes auditing and isolating SharePoint servers, searching for signs of ToolShell, limiting east-west movement, and treating this as a domain-wide incident. By taking these steps, organizations can reduce the risk of compromise and protect themselves from the evolving threat landscape.

FAQs

Q: What is the CVE-2025-53770 vulnerability?
A: CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system.
Q: What is ToolShell?
A: ToolShell is a remote access trojan that’s been previously linked to Chinese espionage groups. It is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection, and operate freely inside the network.
Q: How many organizations have been affected by this campaign?
A: More than 100 organizations have been affected, including government agencies, schools, and energy companies.
Q: What can organizations do to protect themselves?
A: Organizations should audit and isolate SharePoint servers, search for signs of ToolShell, limit east-west movement, and treat this as a domain-wide incident.
Q: Is patching enough to protect against this threat?
A: No, patching alone is not enough. Organizations must also take steps to detect and respond to the threat, and to limit the movement of attackers inside the network.