THREE HACKING GROUPS, TWO VULNERABILITIES, AND A CONVERGENCE POINT INSIDE CHINA’S CYBER OPERATIONS

THREAT SUMMARY

Category: Zero-Day Exploitation, State-Aligned Espionage, Enterprise Intrusion, Supply-Chain Threat
Features: Pre-patch exploitation, simultaneous multi-actor campaigns, authentication bypass, SharePoint compromise, long-term access objectives
Delivery Method: Server-side exploitation of CVE-2025-49704 / 49706 and derivative bypasses
Threat Actor: Linen Typhoon (PLA-linked), Violet Typhoon (MSS-linked), Storm-2603 (dual-purpose ransomware / possible intelligence masking)

---

A coordinated exploitation wave struck organizations worldwide when three different China-based threat clusters — espionage units and a ransomware crew — simultaneously weaponized two Microsoft SharePoint vulnerabilities. The resulting ToolShell campaign breached governments, critical infrastructure, telecom sectors, and major enterprises, revealing a pattern that cybersecurity analysts now recognize as a possible hallmark of China’s maturing vulnerability pipeline.

The scale, timing, and synchronization point to something larger than coincidence — a signal of how quickly China’s offensive cyber ecosystem can mobilize around a single exploit, even before a patch is publicly released.

In March, on the Pwn2Own stage in Berlin, researchers proved SharePoint could be compromised remotely. As per competition rules, the findings were privately disclosed to Microsoft to give engineers time to patch the flaws. In theory, this was supposed to protect governments and enterprises relying on SharePoint as a repository for confidential documents, procurement records, legal filings, and internal strategy memos.

Instead, when the ToolShell campaign detonated four months later, the world witnessed something different — something that looked less like opportunistic hacking and more like a synchronized mobilization.

Microsoft released fixes for CVE-2025-49704 and CVE-2025-49706 on July 8. Telemetry later showed exploitation began the day before the patches were issued. That meant someone knew what was coming.

But the shock wasn’t in the timing; it was in the actors.

Linen Typhoon (APT27) — linked to the PLA.
Violet Typhoon (APT31) — linked to the Ministry of State Security.
Storm-2603 — a ransomware crew whose motives blur the line between cybercrime and state-aligned access operations.

All three moved at the same time, hit the same vulnerability pairs, and reached into the same victims: government ministries, critical infrastructure providers, telecom firms, defense-adjacent industries, and major enterprises across Europe, North America, and Asia.

Even more concerning — the attackers bypassed Microsoft’s initial fix within days, demonstrating a depth of technical understanding consistent with advanced internal knowledge.

Evidence emerged suggesting at least 400 organizations were compromised within the first wave, including U.S. state and federal agencies.

This was no scattershot campaign. This was structured, calculated, and driven by a shared strategic advantage — the narrow window before patches became widely deployed.

---

INFRASTRUCTURE AT RISK

Government Systems
Ministries, procurement departments, policy offices, authentication portals.

Defense-Linked Supply Chains
Aerospace, logistics, manufacturing vendors, and strategic subcontractors.

Critical Infrastructure Providers
Telecom, energy, transportation sectors — all relying on SharePoint for internal coordination.

Enterprise SharePoint Ecosystems
Legal, financial, and operational documents containing years of institutional memory.

Global Corporate Authentication Pathways
SharePoint’s deep integration with Microsoft’s identity stack allowed attackers to pivot from document access to domain-wide privilege escalation.

Storm-2603’s ransomware branch also struck major telecom providers and entities touching the nuclear sector, a targeting choice rare for low-tier criminal groups.

---

POLICY / ALLIED PRESSURE

A glaring question emerged:
How did three separate Chinese groups obtain workable exploits at the same time?

Security analysts turned toward Microsoft’s early-warning partner program (MAPP). Several Chinese companies inside the program are legally obligated to report vulnerabilities to the Chinese government before the vendor itself — creating a pipeline with significant risk for diversion.

The Chinese National Vulnerability Database (CNNVD), operated by the MSS, has long been suspected of receiving vulnerability intelligence prior to global disclosure.

Microsoft restricted several Chinese organizations from MAPP after reviewing the ToolShell campaign.

The pattern is not new. ProxyLogon in 2021, Ivanti in 2023 — each saw multiple Chinese clusters attack the same vulnerability the moment the patch cycle began. Analysts now suspect a centralized distribution mechanism inside China’s cyber apparatus that acts as a “quartermaster” for exploit code and vulnerability intelligence.

Governments across NATO are pressuring private vendors to reevaluate pre-patch sharing models, especially in jurisdictions where national laws can divert zero-day information into state intelligence channels.

---

VENDOR DEFENSE / RELIANCE

Microsoft acknowledged four total vulnerabilities in the exploit chain:

• CVE-2025-49704 (original flaw)
• CVE-2025-49706 (paired flaw)
• CVE-2025-53770 (bypass)
• CVE-2025-53771 (secondary bypass)

The attackers had already weaponized the bypasses before Microsoft finished remediation — a rare and alarming sign of adversarial capacity.

Security firms observed:

• large-scale credential harvesting
• bulk data exfiltration
• deep SharePoint-to-network pivoting
• selective espionage activity followed by noisy ransomware
• inconsistent ransomware deployment suggesting resource bottlenecks
• potential smokescreen operations designed to obscure state objectives

Telecom giants, government systems, and nuclear-adjacent entities were among the compromised — not typical ransomware fare.

Some researchers believe Storm-2603’s ransomware is camouflage for deeper, state-directed access operations.

Others believe it is dual-purpose — financially motivated and rewarded through intelligence sharing with the MSS.

---

FORECAST — 30 DAYS

• Expanded exploitation as unpatched systems remain exposed
• Reuse of bypasses in new tooling, targeting lightly monitored departments
• Spillover into third-party vendors and cloud-connected SharePoint hybrids
• Ransomware incidents increasing as Storm-2603 monetizes footholds
• State groups shifting into stealth mode to retain long-term access
• International scrutiny on vulnerability pipelines involving China
• Patch fatigue and incomplete remediation leaving governments exposed
• Increased pressure on Microsoft to overhaul pre-patch sharing protocols

---

TRJ VERDICT

The ToolShell campaign exposes a structural truth about China’s cyber ecosystem: it is no longer a collection of isolated threat groups, but a coordinated network capable of synchronizing on a single vulnerability at nation-scale speed.

Three groups exploiting the same zero-day at the same moment is not a coincidence. It is a signal — a demonstration of how China processes, distributes, and operationalizes vulnerability intelligence.

A pipeline exists. A mechanism exists. A doctrine exists.

The West is still treating these attacks as isolated events. China is treating them as coordinated phases of a unified strategy.

If governments and enterprises continue to operate under outdated assumptions — that a patch is enough, that telemetry is enough, that vendor warnings are enough — they will find themselves repeatedly blindsided.

The threat landscape is no longer defined by who discovers a vulnerability.
It is defined by who mobilizes around it.

China has demonstrated its answer.

The question for the rest of the world is whether they are prepared for the next wave — because the pattern will repeat, and each cycle grows sharper.

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---