Overview
- Symantec/Broadcom reports CVE-2025-53770 was used to compromise targets in the Middle East, South America, the U.S., Africa, and Europe, spanning government bodies, a telecom, a university, and a finance firm.
- At a Middle East telecom, intruders exploited the SharePoint flaw to plant webshells, then used DLL side-loading to deploy Zingdoor, what appears to be ShadowPad, and KrustyLoader before loading the Sliver framework.
- Operators side-loaded malicious DLLs through legitimate executables from Trend Micro and Bitdefender, and in one South America case used a file that resembled a Symantec name.
- Post-exploitation activity included credential dumping with ProcDump, Minidump, and LsassDumper, domain compromise via PetitPotam (CVE-2021-36942), and living-off-the-land tools such as Certutil, GoGo Scanner, and Revsocks.
- In some incidents initial access came via other unspecified vulnerabilities, with malware delivered through SQL servers and Apache HTTP servers running Adobe ColdFusion, while Microsoft’s July disclosure and emergency patches remain the primary mitigation with activity linked to multiple China-based actors.