Chinese Hackers Exploit ToolShell Vulnerability to Target Global Networks

Chinese hackers exploit ToolShell flaw post-patch, targeting telecom and government networks globally, using advanced tactics for espionage.

By Content Team

Oct 23, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Chinese threat actors exploited the ToolShell vulnerability (CVE-2025-53770) just two days after Microsoft patched it in July 2025, compromising a Middle Eastern telecom company and government agencies across Africa and South America. Symantec researchers linked the attacks to Chinese groups Glowworm and UNC5221, who deployed malware including Zingdoor and KrustyLoader.

The hackers targeted critical infrastructure through mass scanning, then focused on networks of interest for espionage. They used legitimate tools like Trend Micro and BitDefender binaries to hide their malicious payloads, demonstrating sophisticated tradecraft.

Microsoft previously identified three Chinese groups exploiting ToolShell, including Budworm and Storm-2603. The widespread targeting suggests coordinated state-sponsored activity aimed at stealing credentials and maintaining persistent access to victim networks.

Source: Industrial Cyber

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Hasbro Hit by Cyberattack, Potentially Delaying Peppa Pig and Transformers Deliveries

Apr 2, 2026

Healthcare Recruitment Platform Hit by Major Cyber Attack Affecting Northern Ireland Health Trusts

Apr 11, 2026

North Korean Hackers Breach Popular Axios NPM Package in Supply Chain Attack

Apr 1, 2026

Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical

Mar 6, 2026