analyst @ nohacky :~/threat-actors $
cat / threat-actors / china-nexus-toolshell
analyst@nohacky:~/china-nexus-toolshell.html
active threat profile
type nation-state (suspected)
threat_level critical
status active
origin China (Mandiant assessment)
last_updated 2025-07-22
CN
china-nexus-toolshell

China-Nexus Group (Unnamed)

also known as: No public designation assigned "No Shell" cluster (SentinelOne)

This profile covers an unidentified China-nexus threat actor assessed by Mandiant as responsible for some of the earliest observed exploitation of the ToolShell SharePoint zero-day chain — activity traced to July 7, 2025, nearly two weeks before public disclosure. Distinguished from the three named actors confirmed by Microsoft, this group's tradecraft — fileless in-memory execution, no persistent web shells, and a singular focus on machine key theft — is consistent with a sophisticated state-sponsored actor prioritizing stealth and long-term access over immediate exploitation.

attributed origin China (Mandiant — no confidence level specified)
suspected sponsor Unknown — suspected state-sponsored, unattributed to known cluster
first observed July 7, 2025 (first observed)
primary motivation Espionage / persistent access — no ransomware observed
primary targets Government, Technology, Telecoms, Critical Infrastructure
known campaigns Multiple — scope unknown
mitre att&ck group Unassigned
target regions North America, Western Europe, Middle East (confirmed victims)
threat level CRITICAL

Overview

This profile documents a China-nexus threat actor that has not received a public tracking designation from any major vendor as of current reporting. The group's existence as a distinct actor was first publicly indicated on July 22, 2025, when Charles Carmakal — CTO of Mandiant Consulting at Google Cloud — stated on LinkedIn that Mandiant assessed "at least one of the actors responsible for this early exploitation is a China-nexus threat actor." That statement was made in the context of ToolShell exploitation that Check Point Research had traced back to July 7, 2025, targeting a major unnamed Western government — approximately eleven days before mass exploitation began and nearly two weeks before Microsoft publicly disclosed the vulnerability.

This group is distinct from the three actors Microsoft named in its July 22, 2025 attribution report — Linen Typhoon, Violet Typhoon, and Storm-2603. Microsoft's statement that "investigations into other actors also using these exploits are still ongoing" explicitly acknowledged that additional, unconfirmed actors were involved. SentinelOne's technical analysis of the earliest ToolShell exploitation observed in their telemetry identifies a cluster — internally dubbed "no shell" — characterized by in-memory .NET module execution with no persistent files written to disk, originating from IP address 96.9.125[.]147 between July 17–18, 2025. SentinelOne described this as "the earliest known exploitation of CVE-2025-53770 in the wild" and attributed the tradecraft to "a highly skilled red team or nation-state actor focused on stealth and credential harvesting."

The same IP address (96.9.125[.]147) was independently identified by Check Point Research as one of three source IPs in the early ToolShell exploitation waves, and was additionally noted as previously associated with exploitation of Ivanti EPMM vulnerabilities (CVE-2025-4427 and CVE-2025-4428) — suggesting a threat actor with a pattern of rapid adoption of high-value enterprise appliance vulnerabilities across multiple products. WithSecure's incident response analysis of ToolShell-related intrusions also observed the use of FRP (Fast Reverse Proxy) and the Godzilla web shell in related activity, tools described as "hallmarks of China-nexus threat actors" with techniques and payloads containing references discussed in Chinese-speaking security communities.

Whether this unnamed group represents a fourth distinct actor, a sub-cluster of one of the named groups, or a completely separate Chinese intelligence apparatus element remains unresolved. What the evidence establishes is: at least one China-nexus actor had pre-disclosure knowledge of the ToolShell vulnerability chain, exploited it in a targeted manner against a Western government before public awareness, and used sophisticated fileless tradecraft specifically designed to evade forensic detection — consistent with intelligence-collection objectives rather than opportunistic exploitation.

Target Profile

The targeting observed in connection with this group's earliest activity is narrow and selective, consistent with a state-sponsored intelligence collection mission rather than opportunistic access operations.

  • Government (Primary): Check Point Research's July 7, 2025 observation — the earliest confirmed ToolShell exploitation — targeted a major unnamed Western government. The selectivity and timing (pre-disclosure, pre-patch) strongly implies prior intelligence about the vulnerability and deliberate target selection.
  • Technology, Engineering, and Critical Infrastructure: SentinelOne's analysis of the early exploitation waves identified "technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering" as the primary victim sectors in the targeted pre-disclosure phase. This profile aligns with the espionage priorities of Chinese state intelligence apparatus — acquiring technical knowledge and pre-positioning access in critical infrastructure.
  • Telecommunications: Governments and telecoms were noted across multiple vendor reports as early ToolShell targets in North America and Western Europe, consistent with the broader China-nexus pattern of pre-positioning in communications infrastructure.
  • High-Value Organizations Generally: SentinelOne's characterization of the pre-disclosure targeting was that activity was "initially carefully selective, aimed at organizations with strategic value or elevated access" — distinguishing it from the opportunistic mass exploitation that followed public disclosure.

Tactics, Techniques & Procedures

The TTPs attributable specifically to this group are necessarily limited by the absence of a formal public tracking designation and the ongoing nature of attribution investigations. What can be documented with confidence from the "no shell" cluster and earliest exploitation waves is a distinctive operational signature.

mitre id technique description
T1190 Exploit Public-Facing Application (Pre-Disclosure) Exploitation of CVE-2025-53770 / CVE-2025-53771 beginning July 7, 2025 — before patches were available and before the vulnerability was publicly disclosed. This timeline implies either advanced intelligence about the vulnerability, access to early research, or independent discovery — all indicators of a well-resourced actor.
T1055 In-Memory Code Execution (Fileless) The "no shell" cluster used in-memory .NET module execution without writing any payloads or web shells to disk. SentinelOne's telemetry confirmed encoded payload delivery and dynamic assembly loading via PowerShell or native .NET — leaving no file-system artifacts for forensic recovery. This is the group's defining operational characteristic.
T1552.004 Machine Key Material Theft The activity "primarily involved the theft of machine key material" per Mandiant's Carmakal. MachineKey data — the ASP.NET cryptographic secrets used to sign authentication tokens — enables persistent access to victim environments even after ToolShell patches are applied. Stolen keys allow forging of valid VIEWSTATE payloads indefinitely.
T1027 Obfuscated Files / Encoded Payloads Behavioral indicators in SentinelOne's telemetry suggest the use of encoded payload delivery during in-memory execution. The avoidance of disk writes and reliance on dynamic assembly loading are techniques specifically chosen to frustrate signature-based and file-based detection.
T1090 Proxy / Tunneling Infrastructure WithSecure's incident response analysis of China-nexus ToolShell activity observed use of FRP (Fast Reverse Proxy) to establish reverse tunnels from victim environments to actor-controlled infrastructure — a technique documented across multiple Chinese APT clusters for C2 channel establishment and lateral movement preparation.
T1505.003 Web Shell (Related Activity) WithSecure documented use of the Godzilla web shell in China-nexus ToolShell intrusions — a tool with strong associations with Chinese-speaking threat actor communities. Whether attributable to this specific unnamed group or to one of the three named actors remains unclear.

Known Campaigns

Given the absence of a formal tracking designation and the ongoing nature of attribution, the "campaign" history for this actor is necessarily compressed to the ToolShell exploitation context and the pre-existing Ivanti EPMM infrastructure link.

ToolShell Pre-Disclosure Targeting July 7–18, 2025

The earliest confirmed ToolShell exploitation: Check Point Research traced first exploitation to July 7, 2025, targeting a major unnamed Western government. Additional targeted exploitation was observed on July 10, 2025. This activity predates the public disclosure of CVE-2025-53770 and the availability of patches. Victims in the pre-disclosure phase included organizations with strategic intelligence value across government, technology, and critical infrastructure in North America and Western Europe. The "no shell" cluster (SentinelOne) operated specifically on July 17–18, using fileless in-memory tradecraft from IP 96.9.125[.]147 — the stealthiest and earliest of the three distinct exploitation clusters SentinelOne documented. Mandiant confirmed China attribution for this early activity on July 22, 2025.

Read full briefing
Ivanti EPMM Exploitation (Infrastructure Overlap) 2025 (pre-ToolShell)

One of the three IP addresses observed in early ToolShell exploitation — 96.9.125[.]147, the same IP associated with the "no shell" fileless cluster — was previously linked by Check Point Research to exploitation of Ivanti Endpoint Manager Mobile vulnerabilities (CVE-2025-4427 and CVE-2025-4428). This infrastructure overlap suggests the actor has a pattern of rapidly weaponizing high-severity enterprise appliance vulnerabilities and reusing attack infrastructure across distinct campaigns. The Ivanti EPMM chain exploited here involved a remote code execution flaw and an authentication bypass patched in May 2025.

Tools & Malware

The tools attributable with confidence to this specific unnamed group are limited by the actor's deliberate use of fileless techniques that leave minimal artifacts. The following are documented from the actor's direct activity or from closely related China-nexus ToolShell intrusions.

  • In-Memory .NET Module Execution: The defining tool of the "no shell" cluster — dynamic assembly loading via PowerShell or native .NET APIs, executing payloads entirely in memory without writing files to disk. This approach prevents file-system forensics from recovering post-exploitation artifacts.
  • FRP (Fast Reverse Proxy): An open-source Go-based reverse proxy tool used to establish outbound tunnels from victim environments, providing C2 communication and facilitating lateral movement preparation. FRP is widely documented in Chinese APT tradecraft across multiple clusters.
  • Godzilla Web Shell: A feature-rich, Java and PHP-compatible web shell with strong associations with Chinese-speaking threat actor communities. Observed by WithSecure in China-nexus ToolShell intrusions, though precise attribution to this specific unnamed group vs. one of the named actors is not confirmed.
  • Huorong Security Suite / HRSword (Related Activity): WithSecure observed the deployment of Huorong — a Chinese security solution — in related ToolShell intrusions. One component, HRSword, is a documented EDR evasion and impairment tool used by threat actors to terminate endpoint protection. The same pattern was observed in prior SharePoint exploitation (CVE-2024-38094) attributed to China-nexus actors.
  • ToolShell Exploit Chain: Weaponized exploit for CVE-2025-53770 / CVE-2025-53771 (and the original CVE-2025-49704 / CVE-2025-49706 variants). The actor's pre-disclosure access to a working exploit — before patches existed — is the most significant indicator of actor sophistication and advance knowledge.

Indicators of Compromise

IOCs attributable specifically to the unnamed China-nexus group are limited by the fileless tradecraft and ongoing attribution uncertainty. The following are from the documented early exploitation waves.

warning

IOCs for this actor are minimal by design — the fileless "no shell" tradecraft leaves no file-system artifacts. Network-based IOCs may be rotated rapidly. Attribution of specific indicators to this unnamed group vs. the three named actors remains uncertain in some cases. Validate against live threat intel feeds before use.

indicators of compromise
ip 96.9.125[.]147 (primary "no shell" cluster source IP — July 17–18, 2025; also linked to Ivanti EPMM exploitation)
technique In-memory .NET module execution via w3wp.exe — no web shells written to disk; encoded payload delivery via PowerShell or native .NET dynamic assembly loading
technique Exploitation of /_layouts/15/ToolPane.aspx via crafted POST request — MachineKey exfiltration without persistent shell artifact
tool FRP (Fast Reverse Proxy) — reverse tunnel for C2 establishment; Godzilla web shell (related China-nexus ToolShell intrusions)
file sysdiag-all-x64-6.0.7.2-2025.07.21.1.exe (Huorong security installer — used to deploy HRSword EDR impairment tool in related intrusions)

Mitigation & Defense

The unnamed group's fileless tradecraft makes traditional file-based detection largely ineffective. Defense against this actor requires behavioral detection and a particular focus on the MachineKey threat, which persists independently of patching.

  • Rotate ASP.NET Machine Keys Unconditionally: Mandiant's Carmakal stated explicitly that the early activity "primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied." Any organization running on-premises SharePoint that was accessible during the July 2025 window must rotate machine keys — patching alone does not eliminate the threat from stolen keys.
  • Behavioral Detection for In-Memory .NET Execution: The "no shell" tradecraft avoids all file-system artifacts. Detection requires behavioral EDR/XDR rules that alert on w3wp.exe spawning PowerShell or cmd.exe, dynamic .NET assembly loading from unexpected process contexts, and VIEWSTATE deserialization anomalies. File-based AV and hash-based detection are ineffective against this actor.
  • Patch SharePoint and Apply Full Remediation: Apply all July 2025 SharePoint security updates (KB5002768, KB5002754, KB5002753) and restart IIS. Enable AMSI for SharePoint. These steps address the initial access vector but do not undo previously stolen MachineKey material.
  • Audit for Pre-Disclosure Compromise: Given that exploitation began July 7, 2025 and was selective and stealthy, organizations should assume that any on-premises SharePoint server accessible before the July 21 patches may have been compromised by this actor. Conduct forensic review of IIS logs, w3wp.exe process activity, and VIEWSTATE anomalies dating back to early July, not just the July 18–19 mass exploitation window.
  • Monitor for FRP and Godzilla Indicators: Alert on FRP process execution or outbound traffic patterns consistent with reverse proxy tunneling. Monitor for Godzilla shell artifacts — though this actor's primary signature is fileless, related China-nexus ToolShell intrusions have used these tools in adjacent activity.
  • Patch Ivanti EPMM: The infrastructure overlap with CVE-2025-4427 and CVE-2025-4428 (Ivanti EPMM) exploitation suggests this actor may also be active against Ivanti appliances. Ensure Ivanti EPMM environments are fully patched against the May 2025 chain and audit for prior compromise.
  • Assume Multiple Actors in Any Unpatched SharePoint Intrusion: Mandiant's Carmakal warned that "multiple actors are now actively exploiting this vulnerability" and that organizations should "prepare for noisy security logs with multiple discrete sets of activity." Forensic investigation of a SharePoint compromise may reveal artifacts from more than one threat actor simultaneously.
analyst note

The significance of this unnamed actor lies not in what we know about it, but in what its behavior implies. Pre-disclosure exploitation of a SharePoint zero-day — before patches exist and before public awareness — requires either independent vulnerability discovery, access to restricted research, or intelligence collection on vulnerability development pipelines. The fileless tradecraft is a deliberate operational choice by an actor that expects forensic investigation and wants to deny defenders evidence. The MachineKey focus means the actor's access may persist indefinitely in environments that patched but did not rotate keys. Until this group receives a formal public tracking designation and more attribution work is published, defenders should treat any unattributed early ToolShell activity in their environment as potentially linked to this actor and preserve all available telemetry for future attribution correlation.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile