Chinese Threat Actor Targets Microsoft SharePoint in ToolShell Malware Campaign

Key Takeaways:

  • A Chinese state-linked hacking group exploited a SharePoint vulnerability to deploy the ToolShell backdoor.
  • The malware enables full remote control, data theft, and lateral movement across networks.
  • The attackers used a known RCE flaw (CVE-2019-0604) to breach unpatched SharePoint servers.
  • ToolShell has been previously attributed to APT31, a group known for espionage and targeting Western interests.
  • The campaign reflects persistent targeting of collaboration software as attack surfaces in enterprise environments.

A Chinese cyber-espionage group has been linked to a string of attacks exploiting Microsoft SharePoint servers to deploy ToolShell, a powerful backdoor that enables long-term unauthorized access and control. According to a new report by researchers at the QiAnXin Threat Intelligence Center, the attack chain used a known remote code execution vulnerability in SharePoint (CVE-2019-0604) that remains exploitable on unpatched systems.

In related news we have recently reported, Chinese-Linked VPN Apps Raised Privacy Alarms Across Apple and Google Stores, The U.S. Arrested an Alleged Chinese Hacker for COVID Research Theft and Microsoft Exchange Breach and Chinese Hackers Breached US National Guard Networks and Stayed Hidden for a Month.

Exploiting Known Flaws for Persistent Access

The attackers gained initial access by exploiting CVE-2019-0604, a vulnerability that was disclosed and patched by Microsoft over five years ago but continues to surface in many enterprise environments due to delayed patching. Once inside the compromised SharePoint server, they dropped a loader that executes the ToolShell malware, establishing persistence on the network.

ToolShell is a modular remote access trojan (RAT) capable of:

  • Executing shell commands
  • Uploading and downloading files
  • Capturing screenshots
  • Gathering system metadata
  • Facilitating lateral movement

Researchers observed the malware establishing connections with command and control (C2) infrastructure, enabling attackers to monitor and manipulate the victim network in real time.

APT31 Attribution

The campaign has been attributed to APT31, also known as Zirconium or Judgment Panda, a Chinese nation-state threat actor previously linked to cyber-espionage campaigns targeting governments, defense contractors, and critical infrastructure operators in North America and Europe.

QiAnXin’s report points to overlapping TTPs (tactics, techniques, and procedures) with prior APT31 operations, including unique encoding techniques and infrastructure reuse, along with the presence of ToolShell—malware first identified in an APT31 attack on a Russian defense contractor in 2021.

The implications of this linkage are significant: ToolShell is not opportunistic ransomware or mass-market spyware. It’s a deliberate, stealthy tool designed for long-term data theft and espionage. Its presence often signals a targeted campaign rather than random scanning.

The Collaboration Software Attack Surface

The use of SharePoint as an initial access point is noteworthy. Enterprise collaboration platforms—such as SharePoint, Confluence, Teams, and others—have become popular targets for state-linked actors due to their widespread adoption, deep integrations across organizations, and tendency to store sensitive files and documents.

ToolShell’s deployment through SharePoint also highlights the risks posed by overlooked or legacy software assets. While CVE-2019-0604 was patched in 2019, some organizations continue to run unpatched instances of SharePoint on-premises, making them soft targets for actors with sufficient reconnaissance and patience.

Defenders Urged to Prioritize Hygiene

Security professionals are once again being urged to reassess their asset inventories and patch management practices. A successful exploit of a five-year-old vulnerability suggests that many enterprises may still lack adequate visibility into critical software dependencies—especially those running on older infrastructure or outside of standard vulnerability management scopes.

Recommendations include:

  • Immediately applying all relevant SharePoint security patches
  • Conducting retrospective analysis for signs of compromise in SharePoint and adjacent systems
  • Enforcing endpoint detection with memory scanning for backdoor payloads like ToolShell
  • Monitoring outbound network traffic for signs of suspicious C2 activity

As APT31 and similar actors continue refining their techniques, organizations relying on collaboration software should treat these platforms with the same level of scrutiny as traditional server infrastructure.

Broader Implications for Supply Chain and Public Sector

This campaign also follows a broader trend of supply chain-focused attacks, where access to internal collaboration platforms can be leveraged to move laterally into vendor ecosystems, public sector databases, and customer data repositories.

ToolShell’s stealthy nature and modularity make it well-suited to these types of strategic intrusions, enabling data collection and exfiltration over long periods without immediate detection.

The incident reinforces warnings from global cybersecurity agencies about persistent threats from Chinese APTs. For instance, recent joint advisories from CISA, the FBI, and their counterparts in allied countries have emphasized the importance of patching publicly known vulnerabilities—particularly in internet-facing services—because of their continued exploitation by sophisticated state-sponsored actors.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing

Related Articles

Loader..

 

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap